Testing in NASA Human-Rated Spacecraft Programs: How much is just enough? by Keith J. Britton M.S. Systems Management, Florida Institute of Technology, 1992 B.S. Mechanical Engineering, University of Central Florida, 1983 and Dawn M. Schaible M.S. Space Systems Operations, Florida Institute of Technology, 1992 B.S. Mechanical Engineering, Bradley University, 1987 Submitted to the System Design and Management Program in Partial Fulfillment of the Requirements for the Degree of Master of Science in Engineering and Management at the Massachusetts Institute of Technology February 2003 © 2003 Keith J. Britton and Dawn M. Schaible. The authors hereby grants to MIT permission to reproduce and to distribute publicly paper and electro nic copies of this thesis document in whole or in part. Signature of Author Keith J. Britton System Design and Management Program February 2003 Signature of Author Dawn M. Schaible System Design and Management Program February 2003 Certified by Nancy Leveson Thesis Supervisor Professor of Aeronautics and Astronautics Accepted by Steven D. Eppinger Co-Director, LFM/SDM GM LFM Professor of Management Science and Engineering Systems Accepted by Paul A. Lagace Co-Director, LFM/SDM Professor of Aeronautics & Astronautics and Engineering Systems Testing in NASA Human-Rated Spacecraft Programs: How much is just enough? by Keith J. Britton and Dawn M. Schaible Submitted to the System Design and Management Program in Partial Fulfillment of the Requirements for the Degree of Master of Science in Engineering and Management ABSTRACT Testing has long been recognized as a critical component of spacecraft development activities at the Nationa l Aeronautics and Space Administration (NASA). Determining the appropriate amount of testing, however, is a very difficult task. The objectives of this thesis are to document the test approaches and philosophies used within NASA and other organizations, to determine if these factors can be applied to all human-rated spacecraft programs, and to provide lessons learned for future projects. Through a series of expert interviews and review of current literature, a number of themes, findings and recommendations emerged. Some of the major themes the resulted from expert interviews include: Subjectivity of test requirements development: Typically, the actual test requirement decision process is not documented as a formal process but relies heavily on the judgme nt of the decision makers, adding to the overall subjectivity. Due to this subjectivity, testing practices are not consistent across the aerospace industry. Paradoxical nature of testing: Testing alone does not make a project successful, but it does raise confidence in the likelihood of success. Testing is often regarded as a drain on project resources, rather than a valuable undertaking. Vulnerability to changes and cutbacks: Most testing occurs late in the development phase. Since the budget and schedule pressures are most keenly felt at the end of a development program, testing becomes vulnerable to changes. Inadequate attention to testing: Testing, in general, does not receive as much attention as it should. Testing is often overlooked during the early planning phases of a project, in current literature, training programs and academia and in organizational status. 3 Some of the major findings include: For some projects, software is considered a stand-alone system: Today’s systems are becoming increasingly more reliant on software to operate successfully. Yet for many projects software is not being treated as an integral part of the overall system but as a separate stand-alone system. While testing practices vary, decision factors do not: Contrary to common belief, there is consistency in the decision factors used by the various decision makers. These common decision factors can be divided into technical (safety, risk and confidence building) and non-technical (resource availability, process, individual decision- making behavior and political/cultural influences). Decision makers must consider each of the sources of uncertainty, especially the effects of reuse, an inexperienced team and potential unexpected emergent behavior. Current methods of tracking testing costs are not sufficient: Actual cost figures for spacecraft testing programs are very difficult to determine because they are not typically tracked as a discrete line item in spacecraft programs. Life-cycle cost estimating is another area that should be enhanced and used in making test decisions. Upfront planning is a key to success, but be prepared for change: Early planning in both systems engineering and testing is necessary to manage the complexity of human-rated spacecraft programs. The early involvement of the test organization is also essential in establishing a set of firm test requirements that will be less vulnerable to changes later in the program. Testing is more of an art than a science: Experience and mentoring are more important than formal training in developing test engineering expertise. In order to maintain the knowledge base and core capabilities, test engineering should be treated as a valid profession with the same prestige level as other engineering disciplines. A few of the recommendations proposed include: o Form an agency-wide team to seek out best practices in the test engineering field. o Enhance the current risk management practices to include an assessment of all decisions making factors that contribute to the overall level of likelihood. o Establish improved training and mentoring programs for test engineers, perhaps through the creation of a test engineering corps. o Assign both responsibility and accountability for software to system engineering. Thesis Supervisor: Title: Nancy Leveson Professor of Aeronautics and Astronautics 4 Acknowledgements We would like to acknowledge the following individuals for their support in making our time at MIT an experience of a lifetime. First, we would like to thank our families for their patience, encouragement and support ­ especially Gina, Spencer and Sarah Britton, Carol Schaible and Kimberly Squire. It was their sacrifices, rather than ours, that made it possible for us to be active participants in the System Design and Management Program. We also want to thank our NASA supervisors, managers, mentors and co-workers. Their understanding, encouragement and cooperation made it possible for us to take full advantage of our time at MIT. In particular, we would like to thank Ken Payne, Tip Talone and Randy Galloway for their mentorship, and Mr. Roy Bridges for his support of the PMDP-ALO Program. We would also like to acknowledge the expert interviewees that shared their time, experience and knowledge with us. Without their contributions this thesis would not have been possible. Finally, we would like to thank our advisor, Professor Nancy Leveson. Her patience, guidance and expertise made the development of this thesis a valuable and rich learning experience. In additio n, Nancy’s support of us, SDM and NASA has served as an inspiration for our future endeavors and is greatly appreciated. 5 Table Of Contents ABSTRACT ..........................................................................................................................3 Acknowledgements ...............................................................................................................5 List of Figures.......................................................................................................................8 List of Tables.........................................................................................................................8 Acronyms ..............................................................................................................................9 Chapter 1: Introduction.....................................................................................................10 1.1 1.2 1.3 Motivation............................................................................................................10 Hypotheses and Objectives ..................................................................................11 Thesis Approach and Structure ............................................................................12 Chapter 2: Testing Classifications and Methodologies...................................................14 2.1 The NASA Development Process........................................................................14 2.2 Methodologies Used in the Verification Process .................................................16 2.3 Stages of Verification Process..............................................................................16 2.3.1 Development Stage ..........................................................................................17 2.3.2 Qualification Stage ...........................................................................................18 2.3.3 Acceptance Stage .............................................................................................18 2.3.4 Pre-Launch Stage (Integration) ........................................................................19 2.4 The Role of Testing..............................................................................................19 Chapter 3: Research Methodology and Data Analysis ...................................................21 3.1 3.2 3.3 3.4 3.5 3.6 Data Collection through Interviews .....................................................................21 Interview Methodology........................................................................................21 Interview Categories ............................................................................................22 Interview Questions ..............................................................................................23 Goal of Interviews ................................................................................................23 Overview of Interviews and Method of Data Analysis........................................24 Chapter 4: Themes Resulting from Expert Interviews ..............................................26 4.1 Introduction..........................................................................................................26 4.2 Primary Themes ...................................................................................................26 4.2.1 Subjectivity of Test Requirement Development ..............................................26 4.2.2 Paradoxical Nature of Testing..........................................................................27 4.2.3 Vulnerability to Changes and Cutbacks...........................................................28 4.2.4 Inadequate Attention to Testing .......................................................................28 4.2.5 Organizational Influences on the Testing Process ...........................................29 Chapter 5: Findings Derived from the Expert Interviews .............................................33 5.1 5.2 5.3 5.4 Introduction..........................................................................................................33 Stand-alone Software System...............................................................................33 Varying Attitudes Toward Test Effectiveness .....................................................36 Test Program Decision Factors ............................................................................38 6 5.4.1 Technical Factors .............................................................................................38 5.4.2 Non-Technical Factors .....................................................................................42 5.4.3 Retest Considerations .......................................................................................44 5.5 The Role of Planning............................................................................................45 5.6 Tracking Testing Costs.........................................................................................47 5.7 Testing Is An Art ..................................................................................................48 5.8 The Importance of System Engineering...............................................................49 5.9 Program/Agency Culture......................................................................................50 Chapter 6: Lessons for the Future ....................................................................................51 6.1 Risk Management Process ...................................................................................51 6.1.1 Current Risk Management Techniques............................................................51 6.1.2 Application to Testing......................................................................................55 6.2 Additional Keys to Success..................................................................................58 6.2.1 Status of Testing...............................................................................................58 6.2.2 Organizational Considerations .........................................................................58 6.2.3 Knowledge Transfer .........................................................................................59 6.2.4 Alignment of Goals ..........................................................................................60 6.3 Testing Decision-Making Considerations ............................................................60 6.3.1 Risk-Tolerance .................................................................................................60 6.3.2 Long-Term View ..............................................................................................61 6.3.3 Systems Perspective .........................................................................................62 Chapter 7: Summary .....................................................................................................63 7.1 Conclusions ..........................................................................................................63 7.1.1 Major Themes from Expert Interviews ............................................................63 7.1.2 Major Findings of Thesis .................................................................................64 7.1.3 Review of Original Hypotheses .......................................................................66 7.2 Recommendations ................................................................................................66 7.3 Future Work .........................................................................................................68 Notes ....................................................................................................................................69 References...........................................................................................................................72 Appendix A – Expert Interv iew Questionnaire ...............................................................74 Appendix B - Glossary .......................................................................................................77 7 List of Figures Figure 1 - Hierarchical Structure of a Generic System (Derived from [10]) ......................14 Figure 2 - Generic Overview of the NASA Project Cycle [12] ...........................................15 Figure 3 - Typical Depictio n of a Weibull Distribution (Bathtub Curve) [14]...................17 Figure 4 – Simplified Integrated Product Team Structure ...................................................34 Figure 5 – Simplified Organizational Structure with Segregated Software Group .............35 Figure 6 - DoD Model for System Development [43] .........................................................35 Figure 7 - NASA Generic Risk Matrix [65].........................................................................51 Figure 8 – Risk Matrix Showing Risk Assessment Code (RAC) (Adapted from [68])......53 Figure 9 – NASA Program Risk Matrix [70] .......................................................................54 Figure 10 – Risk Matrix with Scoring [72]..........................................................................54 Figure 11 – Adapted DoD Hazard Criticality Index Matrix [73].........................................55 List of Tables Table 1 - Mapping of Expert Interviewee Responses ..........................................................24 Table 2 - Sources of Uncertainty..........................................................................................40 Table 3 – Non-Technical Factors………………………………………………………….42 Table 4 – Sources of Uncertainty.........................................................................................56 8 Acronyms DOD FAA FPGA IPT ISS IV&V MCO MEIT MIT MPIAT NASA PRA RAC RMP SDM V&V WIRE Department of Defense Federal Aviation Administration Field Programmable Gate Array Integrated Product Team International Space Station Independent Verification and Validation Mars Climate Orbiter Multi- Element Integration Test Massachusetts Institute of Technology Mars Program Independent Assessment Team National Aeronautics and Space Administration Probability Risk Assessment Risk Assessment Code Risk Management Plan Systems Design and Management Verification and Validation Wide Field Infrared Explorer 9 Chapter 1: Introduction 1.1 Motivation “A thorough test and verification program is essential for mission success” NASA Mars Program Independent Assessment Team Summary Report [1] The above statement was cited as a lesson learned by the National Aeronautics and Space Administration (NASA) Mars Program Independent Assessment Team (MPIAT) in their March 2000 report. The MPIAT was chartered to review and analyze three successful and three unsuccessful Mars and deep space missions in order to provide recommendations for future NASA projects. This is just one example of a review committee finding that thorough testing is needed to ensure a successful mission. Another example includes the Huygens Probe. While on its way toward Saturn’s largest moon Titan in 2000, the Huygens Probe experienced anomalies in its communication system. An enquiry board was assembled to investigate the problems and included in their recommendations that “an end-to-end test should have been performed on the complete system as a final test”. [2] Even with these and numerous additional examples that point to the benefit of testing, many programs still cut back on the amount of testing that is performed, only to meet with less than optimal results. NASA is not the only agency, and aerospace is not the only industry, that has experienced major failures that perhaps could have been prevented if more testing would have been conducted. Just one of a plethora of examp les was in the floating rescue capsule aboard the ill- fated Russian submarine Kursk. According to published reports “some of the 118 Russian sailors who died…could have been [saved] if rescue gear aboard the ship had ever been tested”. [3] It was also reported that the capsule testing was deleted from the testing program because construction of the ship was falling behind schedule. [4] If testing is recognized as such a benefit, then why is more testing not performed? Given unlimited time and unlimited budget, more testing would be performed. Since it is unfeasible for programs to perform exhaustive testing, a balance must be struck between too little testing and too much testing. Not enough testing adds risk to a program, while testing too much can be very costly and may add unnecessary run-time on the equipment. Determining exactly how much testing is just enough is an extremely difficult question for many program managers and other decision makers. The decision process often appears arbitrary and has received little attention in the past. The role of testing in a successful program is to allow an opportunity for errors to be discovered and corrected before the system is put into operation. Testing is performed for risk mitigation; it serves as an insurance policy against failed missions. Even though the importance of testing is generally recognized, relatively little attention has been paid to this area in either the NASA Systems Engineering Handbook [5] or the NASA Program and Project Management Process and Requirements Policy Guide. [6] While the structure of a 10 test and verification program is addressed in these documents, actual implementation and guidelines on how much testing should be performed are not covered in detail. Because testing is performed in almost every industry and in all NASA programs, a more narrow focus is required. This thesis will begin to address the challenges of testing NASA’s human-rated spacecraft programs. The focus on human-rated spacecraft was chosen due to the inherent criticality of protecting against loss of life. Also of interest is the influence that expendable and human-rated spacecraft philosophies have on each other, and the relationship between the two types of programs. This thesis will address the following concerns that served as motivation for this research: o Difficulty in striking a balance between too much and too little testing o Perceived arbitrary nature of the decision- making process o The vulnerability of testing to cutbacks as a program progresses o Apparent lack of attention to testing in established NASA program and managerial processes 1.2 Hypotheses and Objectives This thesis poses several hypotheses. The first is that while most decision makers recognize the importance of testing, they rely on highly subjective decision factors and do not use a holistic approach to determining how much testing should be performed. The next hypothesis is that cost and budget factors tend to be the major drivers in determining the level of testing, but actual life-cycle costs are not adequately addressed in the decisionmaking process. When life-cycle costs are considered, they are out-weighed by more pressing issues of the moment. Also, when actual life-cycle estimates are obtained, it would be reasonable to believe that testing on the ground would a more cost-effective option than finding and correcting the problem on-orbit. The third hypothesis is that the decision- making process plays a significant role in determining what testing will be performed. Engineers and managers are typically unaware how this process will affect their decisions. The final hypothesis is that organizational factors are important to a test program’s success. However this relationship may not be well understood or appreciated by program managers. A summary of the hypotheses is as follows: o Many decisions makers do not utilize a holistic approach in addressing testing requirements o Life-cycle costs are not adequately addressed in the decision-making process o Decision makers are not fully aware of the influences inherent in the decisionmaking process o The influence of organizational factors is not fully appreciated The first objective of this thesis is to document the role of testing, along with the approach and philosophy used within the agency’s test programs and across similar industries. From 11 this research, decision criteria and the critical factors involved in making testing decisions will be determined. A second objective is to determine whether a common set of decision factors can be formed from the various approaches studied. Using this set of factors, this thesis will propose recommendations for architecting future test programs and will address the third objective of providing lessons learned for future projects. A fourth objective is to understand how various test managers and systems engineers deal with this issue of unexpected emergent behavior in systems. When the overall system’s behavior depends upon the interaction between two or more sub-systems, this is referred to as emergent behavior. This emergent behavior is usually anticipated and is necessary for the system to operate successfully. However, interactions between sub-systems can result in unexpected, and often undesirable, system responses. This unexpected emergent behavior can usually be explained after it reveals itself but is not anticipated ahead of time. As Eric Bonabeau (2002) noted, “Because of their very nature, emergent phenomena have been devilishly difficult to analyze, let alone predict”. [7] This thesis will attempt to capture current methods of driving out unexpected emergent behavior and provide recommendations for the future. A summary of the thesis objectives is as follows: o Document testing approaches and philosophies used and determine decision criteria and critical factors o Determine if these factors can be universally applied to all programs and propose a framework for architecting test programs o Provide lessons learned for future projects o Understand how various programs address the issue of unexpected emergent behavior in systems 1.3 Thesis Approach and Structure The research methodology used for this thesis includes a review of current literature on the subject of test and verification from system engineering, decision theory, and organizational behavior sources. Since previous research in this area is limited, a series of expert interviews was conducted with NASA, contractor and industry personnel. From these interviews and the literature review, common themes and findings were established, along with recommendations for architecting future test programs. This research will be described in this thesis as follows: Chapter 2 provides a foundation for understanding the NASA development process and the role of testing in this process. In addition, this chapter explains the basic terminology of testing as described in the literature. This is necessary since each program and industry tend to use the terms for slightly different applications. A common understanding of the terminology is established for the remainder of this thesis. This chapter also briefly 12 discusses the purpose of testing, test implementation and challenges faced in a test program. Chapter 3 summarizes the expert interview process. The survey questions are described along with the approach used in cond ucting the interviews. The data analysis methodology is explained. General themes are identified for detailed review in Chapter 4. Chapter 4 outlines the common themes that were observed from the interview process and its applicability to the literature review. Chapter 5 presents the findings derived from the themes described in Chapter 4. Chapter 6 offers recommendations for architecting future test programs. These recommendations were developed based on the work outlined in the previous chapters and addresses both the technical and non-technical factors that influence the testing decisionmaking process. Chapter 7 provides a brief summary of this thesis, makes recommendations for future NASA human-rated spacecraft programs and proposes future work that should be conducted in the area. 13 Chapter 2: Testing Classifications and Methodologies “The purpose of testing and evaluation is to determine the true system characteristics and ensure that the system will successfully fulfill its intended mission.” - Blanchard [8] This chapter discusses the NASA spacecraft development process and the role testing plays toward spacecraft integration and verification. Because testing terminology is not used consistently across different programs and industries, a set of common definitions is established for use in this thesis. The discussion also includes a description of the NASA project cycle including the technical aspects. All of this provides the background for further discussions regarding the stages of the verification process and methods used for verification. Finally, the role of testing is discussed in terms of its contribution to the overall verification process. 2.1 The NASA Development Process The NASA Systems Engineering Handbook (SP-6105) addresses the program and project life-cycle process and how the technical aspects are incorporated into each phase. In general, the NASA development process is “requirements driven” and uses hierarchical terminology for decomposing a system from its highest leve l to successively finer layers, down to individual parts. [9] A general hierarchical structure of a system is depicted in Figure 1. Hierarchical Structure of a System System Segment Element Subsystem Assembly Subassembly Part Figure 1 - Hierarchical Structure of a Generic System (Derived from [10]) This structure serves as the framework for systems requirements development that in turn provides the functional requirements that must be verified. Testing is used to accomplish this verification process. The systems engineering approach encompasses the entire technical effort required to develop, deploy, operate and dispose (decommission) a spacecraft. The objective of the 14 systems engineering process is to ensure that the system is designed, built, and operated in accordance with its intended purpose and in the most effective way possible, considering cost, schedule and risk. The NASA program and project life-cycle process identifies various activities for the preliminary design, detailed design, fabrication & integration and preparation for deployme nt phases. NASA has adapted the generic Forsberg and Mooz “Vee” chart (Figure 2) that describes the technical aspects of a project cycle in terms of the decomposition and definition sequence (referred to as definition) and the integration and verification sequence (referred to as verification). [11] The definition sequence (left side of Vee) defines the process for understanding user requirements, developing system requirements, expanding them to “design-to” specifications and finally, evolving to “build-to” documentation and inspection plans. During each step of the definition sequence a set of verification requirements should be developed. These requirements (sometimes referred to as verification and validation requirements) serve as the framework for ensuring the system will perform as desired in its intended operating environment. The verification sequence (right side of Vee) of the NASA project cycle provides the requirements for inspection of the “build-to” hardware, verification of the “design-to” documentation, integration of the system performance, and demonstration/validation of the complete systems in accordance with user requirements. Technical Aspect of the Project Cycle Understand Customer Requirements, Develop System Concept and Validation Plan Demonstrate and Validate System to User Validation Plan Integrate System and Perform System Verification to Performance Specifications and Plan Develop System Specification and System Verification Plan Expand Specifications into CI “Design -to” Specifications and CI Verification Plan Integrate CIs and Perform CI Verification to CI “Design -to” Specifications and Plan Evolve “Design-to” Specifications into “Build-to” Documentation and Inspection Plan Verify to “Build-to” Documentation And Inspection Plan Fab, Assemble, and Code to “Code-to” and “Build-to” Documentation Figure 2 - Generic Overview of the NASA Project Cycle [12] 15 2.2 Methodologies Used in the Verification Process There are various methods of accomplishing the objectives of the verification sequence including analysis, similarity, inspection, simulation and testing. These methods provide a level of certainty and knowledge regarding the system behavior and performance, and they verify the activities of the definition sequence. The following paragraphs provide a brief description of the verification alternatives and how those methods meet specific verification requirements. Analysis uses specific techniques, such as statistics, modeling, or qualitative methods to verify compliance to specification/requirements. Analysis is used in lieu of testing when the methods can be proven to provide rigorous and accurate results and when testing is not cost-effective. Similarity is a verification technique that uses comparison of similar hardware components. The acceptance data or hardware configuration and application for a particular piece of hardware is compared to one that is identical in design and manufacturing process and has been previously qualified to equivalent or more stringent specifications. Inspection techniques are used to physically verify design features. This implies a physical inspection but can also refer to documentation. Construction features, workmanship, dimensional features and cleanliness are all applications for inspection. Simulation is a technique for verification that uses hardware or software other than flight items, but built to behave in an identical manner as the flight systems. Testing is a method of verification in which the actual equipment is allowed to operate under conditions that demonstrate its ability to perform as specified by the design requirements. Various stages of testing may be required, as the system is configured, in order to verify functionality at each stage of assembly. 2.3 Stages of Verification Process The verification sequence of the NASA spacecraft development process, as shown in the verification sequence of Figure 2, can be further divided into stages that correspond to defined periods in which different verification goals are met. [13] The six generic verification stages are: o o o o o o Development Qualification Acceptance Pre-launch (Integration) Operational Disposal 16 For human-rated spacecraft, the role of testing is prevalent in the first four stages and is used less in the operational environment and lesser still in the disposal stage. Therefore, the following paragraphs will focus on those stages that most relate to the testing activities (the development, qualification, acceptance and pre- launch). 2.3.1 Development Stage Development or component level testing is intended to verify that the lowest level components of a system actually perform their intended functions in accordance with the specified requirement(s). A component can be considered a single “part” or a series of parts configured to perform a function. Component testing occurs at an early stage of systems development in order to provide the building blocks that will comprise the overall system. The data collected during this phase of testing serves as the foundation for system reliability, maintainability and cost effectiveness. Reliability data is usually compiled on each system component according to the mathematical relationships of continuously operated systems. These reliability equations help determine infant and wear-out failure rates and thus determine the remaining component failure probabilities in a range containing random occurrences. The period of operation in which only random failures occur is considered the useful operating life of the component. This is valuable information because it determines how long a particular component may be used before its replacement becomes necessary. It also defines the amount of higher level testing to which the component can be subjected before the wear-out period is entered. A graphic depiction of this distribution is referred to as a “Bathtub Curve” in which the hazard function is divided into the three regions described in Figure 3. Figure 3 - Typical Depiction of a Weibull Distribution (Bathtub Curve) [14] 17 2.3.2 Qualification Stage The qualification stage of spacecraft development is intended to verify that fight hardware meets functional, performance and design requirements. [15] Specific requirements evolve from performance measures that are traceable back to system level requirements and to customer requirements. Verification requirements in this stage are more severe than the conditions expected during operation in order to establish that the hardware will perform satisfactorily in the flight environment with sufficient margins. [16] Blanchard provides a further description of qualification testing as addressing the need to prioritize requirements according to criticality, in order to allow an integrated test plan to be developed. This places the proper emphasis on the most critical requirements and eliminates redundancies that would increase costs. Ideally, qualification tests should be scheduled as a series of individual tests performed in an integrated manner as one overall test. [17] However, for highly complex spacecraft systems being developed in stages, at geographically separate facilities, or when contractually fragmented, such integration testing is not always possible. Specific testing objectives that are typically defined in qualification testing include overall performance, structural, environmental (thermal), and vibration testing. Software validation should also be performed during qualification testing but is often performed with simulation or development software that does not represent the final released versions. Validation of the software ensures that the system behaves per the user requirements. Actual verification that the software meets the stated requirements can only be completed after the final flight version is released. The performance margins established in this stage will determine the amount of system flexibility that can be utilized downstream. Even though each individual component may be within specified tolerance, the aggregate of all the components may result in an out-of-tolerance condition for the system. These system tolerances are a key factor to be considered at this point because neglecting them may result in unexpected emergent properties during system integration or worse yet, discovering an out-of-tolerance condition of the system late in the development phase. 2.3.3 Acceptance Stage The acceptance stage defines the period in which the delivered spacecraft (end-item) is shown to meet the functional, performance and design requirements as specified by the mission requirements. [18] This stage often concludes with the shipment of the accepted item to the launch site. Acceptance activities typically occur after the initial qualification testing and before final integration testing of the spacecraft and are intended to evaluate system performance using the actual production components that will constitute the final 18 spacecraft. Acceptance testing also serves to verify the “workmanship” of the assembled products. 2.3.4 Pre-Launch Stage (Integration) The pre-launch stage typically begins with the arrival of flight hardware and software at the launch site and ends with the successful launch of the spacecraft. This stage is intended to verify requirements of the integrated spacecraft as well as integration between the spacecraft and launch vehicle or launch facilities. The integration phase allows interfaces between different portions of the spacecraft to be brought together and tested for fit as well as function, thus providing the opportunity to assemble all the spacecraft components in their final configuration. If necessary, the entire system can be run under actual operating conditions. For human-rated spacecraft such as the International Space Station (ISS), integration testing with flight hardware is not feasible because the various ISS elements are in different stages of development. Therefore, integration testing is often comprised of a mixture of actual flight hardware and software with emulators of other parts of the overall system. For unmanned spacecraft that have no on-orbit repair capability, problems found and corrected in the integr ation test may be the final determinant for mission success. Although not the intended purpose, integration testing does provide the final opportunity to verify the system meets the intended user requirements and to identify any system- level performance shortfalls. In a perfect world, the integration phase would test interfaces only and would not identify any lower level failures (assuming the previous test phases were performed successfully). In reality, integration testing is often the first system- level checkout of flight hardware and software interfaces. This thesis will focus on the integration test phases. 2.4 The Role of Testing In general, the purpose of test and evaluation activities is to determine the true system characteristics and to ensure that the system will successfully fulfill its intended mission. [19] Testing serves a dual purpose of verifying fulfillment of requirements while also driving out uncertainty in system behavior due to imperfect requirements (which will always exist). As discussed, testing is considered one method of meeting the system verification and validation (V&V) goals and usually is performed to address risk and uncertainty that cannot be satisfactorily mitigated by other, less expensive, means (i.e. analysis, simulation, inspection). Spacecraft testing is sometimes considered synonymous with system V&V; however, this view may be misleading. V&V is the process by which systems are evaluated and has a twofold objective: to determine if the system meets the design (verification) and to verify that design performs the intended tasks (validation) and meets the customer’s needs. Stated differently, verification is the process of verifying that hardware and software operate according to the specified requirements (i.e. it does what it is asked to do) while validation is the process of determining whether the end product 19 meets the design and user intentions (i.e. it does what it is suppose to do). As such, system validation activities would be performed at a higher level in the system hierarchy. It should also be noted that while verification establishes that the equipment being tested meets the specified requirements, it does not evaluate the validity of the requirement. Therefore, special emphasis should be placed in the development of the requirements to ensure they represent the actual intended system operation. 20 Chapter 3: Research Methodology and Data Analysis “The beginning of knowledge is the discovery of something we do not understand.” - Frank Herbert [20] 3.1 Data Collection through Interviews In order to capture expert knowledge regarding integration testing of human-rated spacecraft, a series of interviews with recommended experts in the testing discipline was conducted. The interview process was intended to solicit the tacit knowledge of the interviewee and was not structured to obtained data for statistical analysis. A total of fourteen experts were interviewed. Nine of these experts were from NASA while five represented either government contractors or the aerospace industry. The number of interviewees represented a broad spectrum of the testing community (from test engineers to test program managers, both from government agencies and contractors), but was not deemed large enough to constitute a valid statistical data population. From the interview process additional data was sought that would provide a statistical foundation for verification of the findings and recommendations presented in the testing framework. In fact, the statistical data was not forthcoming in sufficient quality or quantity to be useful. The lack of statistical data, however, does not deter from the qualitative value of the knowledge obtained through the interviews and subsequent response analysis. 3.2 Interview Methodology The interview methodology consisted of private sessions with each individual (or in some cases two individuals). Interviewees were selected from several sources, recommendations from Massachusetts Institute of Technology (MIT) professors and advisors, reputation, personal knowledge of the researchers, associations with the MIT Systems Design and Management (SDM) Program and recommendations from the actual expert interviewees. The sessions were conducted in person wherever possib le or otherwise via telephone and typically lasted approximately one hour. In general, the interviews consisted of the two researchers asking questions regarding one of four focus areas of testing. The interviewees were provided an opportunity to describe their backgrounds and basic philosophies regarding system testing and systems engineering in general. This introduction period allowed the researchers to tailor the questions toward a specific area of interest or expertise the interviewee may have possessed. For instance, a test engineer may have described their expertise in environmental (thermal) testing of hardware and how certain barriers existed that made conducting these tests difficult. In this case the engineer would be allowed to elaborate on that specific aspect of testing (component and qualification level). The questions were focused on their experiences, perceptions and challenges, based on their background. Often the interview included a discussion on philosophies regarding spacecraft testing programs and then flowed into a discussion on the strengths and weaknesses of the approach in question. The interviewee was provided ample time to respond and then, 21 through follow- up questions, asked to elaborate on the previous response. Confident ially was assured so that the expert interviewees could provide frank responses without consideration of consequences and to protect any proprietary knowledge regarding testing processes and procedures or financial information. 3.3 Interview Categories The interview questionnaire consisted of five sections, an introduction and biography section for the interviewee, and four sections on specific focus areas regarding spacecraft testing. These areas include the role of testing, decision factors that influence how test programs are implemented, cost factors that influence test programs and organizational issues relating to test programs. The actual interview questionnaire is contained in Appendix A. Section I, a biographical section, was required to allow the researchers and interviewees to become familiar with each other. This section provided contact information, prior experience and current responsibilities. The information was also used for demographic analysis regarding coverage of the spacecraft-testing spectrum. Section II of the questionnaire focused on the role of testing and requirements definition. This section identified the type of testing (i.e. qualification, acceptance, integration) that the interviewee was most familiar with and how that particular testing phase adds value to the overall spacecraft development process. Questions regarding the criteria and processes used to define testing requirements and how these are coordinated with the actual hardware and software development processes were also discussed. Finally, several questions regarding decision and cost factors were included to serve as transition points to follow-on sections. Section III of the questionnaire focused on factors that are considered in deciding what tests to perform on a spacecraft. Internal and external factors were sought as well as how much weight specific factors carry in influencing the final test requirements. This section also introduced questions regarding the integration of hardware and software in humanrated spacecraft test programs and the implications of treating software differently from hardware and in delaying the integration of the two. Factors that influence decisions to modify test programs were also sought. In this context, the researchers explored subjective influences such as the political environment and the effects they play on maintaining or changing planned testing programs. The final objective of this section was to explore the value of identifying unexpected emergent properties in human-rated spacecraft through testing. This was an important issue to the researchers because of the perceived tendency for test programs to verify known requirements and not seek to identify unexpected behaviors prior to deployment. Section IV, budget and cost considerations, provided a transition from the decision-making factors because these considerations serve as a separate influence on the level of testing performed on human-rated spacecraft. The focus of the cost-related questions was to determine how well test program costs are planned, budgeted, monitored and reviewed 22 upon completion of the program. Rules of thumb and other budgetary guidelines were sought for use in planning and implementing various phases of a human-rated spacecraft test program. In addition, the influence of cost factors on the decision process was discussed. The final section, Section V, of the questionnaire focused on organizational factors that influenced the success of test programs. Comparisons were made between actual test program organizational structures against those that the experts deemed most effective. Questions also addressed organizational considerations given to software versus hardware testing and the integration of the two. This section also sought out insights on how well knowledge is captured, retained and transferred to future programs. Finally, the effectiveness of documenting lessons learned and transferring them within the current organization, and to other programs, was discussed. After all the questionnaire topics were covered, a period of open dialog was provided in which the expert could elaborate further on any topic previously discussed and offer more insights on other aspects of testing not included in the questionnaire. These discussions were captured under a generic category called “Other” and served as the conclusion of the interview process. 3.4 Interview Questions As previously mentioned, the questions used in the interview process were designed to draw out the tacit knowledge of the individuals as opposed to a verification of their formal knowledge regarding human-rated spacecraft testing or systems testing in general. The sequence of the questions was intended to begin with basic concepts and progress into more abstract areas that are not widely covered in academia or formally considered in systems testing documentation. The interview questionnaire contained a total of fifty-two questions (Appendix A). Some questions contained follow-up queries while others sought informational data only. Fortyfive separate questions related to expert knowledge of the individual while another seven were for informational purposes. Although all questions were covered in the interview process, not all were sufficiently answered by the respondents. This reflects the wide spectrum of experience sought in the research. Finally, several questions contained overlapping themes that allowed the interviewee to answer them simultaneously, if they so choose. For instance, question (20) asks about cost factors for determining the extent in which testing is performed. As the response was delivered and elaborated upon, it was often possible to segue to question (31), which addressed testing budgets. Therefore the questionnaire was used as a guide rather than a formal process. 3.5 Goal of Interviews Each of the four major sections of the questionnaire correlated with specific areas of focus regarding human-rated spacecraft. The interviews were intended to capture knowledge of experts regarding current test practices within NASA programs as well as the aerospace 23 industry in general. In concert with capturing knowledge regarding current testing practices, recommendations for improving on those practices, within the four focus areas, were also sought. The body of knowledge compiled from the interviews served as the foundation for further comparison to system engineering principles. A second goal of the interview process was to gather enough responses from a diverse spectrum of testing experts to allow identification of common themes that apply to system testing in general and human-rated spacecraft testing specifically. Finally, the interviews attempted to capture best practices, as well as deficiencies, in organizing and implementing programs. This goal is not specifically oriented toward test programs but toward an overall spacecraft program organization that provides the best chance of success. 3.6 Overview of Interviews and Method of Data Analysis The interview process was conducted with both researchers present. Responses were recorded individually by the researchers and later compared for consistency. The responses were then compiled electronically into a larger data set. The data set was built according to the focus sections in the questionnaire. All responses were analyzed and common themes were drawn from each section through a process of grouping like responses from different interviewees together. A system of maintaining anonymity was established that masked the responses but allowed traceability back to the specific expert interviewees. The final data set of responses consisted of over 500 separate items that were used in the analysis. A distribution of responses to expert interviewee function is depicted in Table 1. INTERVIEW SECTIONS/FOCUS AREAS Function II - Role III - Factors IV - Cost V - Org/KM VI - Other Test Manager 75 71 21 60 10 Test Engineer 22 17 3 23 7 Systems Manager 16 20 1 4 0 Systems Engineer 39 39 4 16 3 9 15 4 7 4 10 3 0 12 0 171 165 33 122 24 Independent Verification & Validation End User Totals Table 1 - Mapping of Expert Interviewee Responses 24 The process for evaluating the data consisted of categorizing each response individually according to the focus section being reviewed. After all four sections were completed, a second phase of grouping the responses according to common themes was conducted. This phase also identified themes that applied across each section. Those crossover themes were also compiled and addressed in the final analysis. Development of the common themes from the interviews was accomplished from the perspectives of the researchers’ testing experiences. An internal perspective was developed from the researcher with extensive experience in human-rated spacecraft testing while an external perspective was developed from the researcher with limited testing experience. These differing approaches to the interview responses provided a deeper understanding of the knowledge captured and resulted in a broad set of recommendations for future test programs. Finally, after the interview data analysis was completed, a collection of overall themes and insights emerged. These along with the literature information were used to develop the common themes and findings described in Chapters 4 and 5. 25 Chapter 4: Themes Resulting from Expert Interviews “It All Depends” - Expert Interviewee [21] 4.1 Introduction Upon completion of the interview process, as described in the previous chapter, a set of general themes was developed from the compilation of the expert responses. These themes represent the most commonly held opinions and perceptions among the expert interviewees based on their testing experience. This chapter will address five primary themes that were the most prevalent topics from the aggregate of the expert responses. General insights and findings derived from the interviews are presented in the next chapter. The primary themes that emerged from the interviews are: o Subjectivity of test requirement development o Paradoxical nature of testing o Vulnerability to changes and cutbacks o Inadequate attention to testing o Organizational influence on the testing process Each of these is now discussed further. 4.2 Primary Themes The primary themes represent a common set of knowledge derived from the expert interviews. These themes, along with literature research, serve as a foundation for the development of findings and recommendations presented in later chapters. 4.2.1 Subjectivity of Test Requirement Development Although not specifically asked in the interview process, the subjective nature of testing was mentioned by almost all of the expert interviewees. The essence of this subjectivity comes partly from the risk identification and mitigation process and partly from the systems requirements process. As mentioned in Chapter 2, testing serves as risk mitigation. Risk is traditionally discussed in terms of both the likelihood of a specific outcome occurring and the consequences that would result. [22] Because determining risk levels is highly subjective, especially for new designs and architectures, testing will in turn be highly subjective. It is also impossible to perfectly 26 relate risk to testing since so many additional factors apply, such as the ability to recreate the operating environment on the ground. [23] In system requirements development, the system architect must answer the question “is this what the customer wants”? Once answered, the requirements for the system can be established. Test requirements flow from these system requirements and attempt to answer the question “ how do I prove it”? [24] Because each system is different and has different system requirements, the test requirements will be different as well. These differences in system and test requirements make it difficult to generalize testing. One additional reason that testing is very subjective is the nature in which test requirements decisions are made. There currently are no concrete rules on how much testing must be performed. The decision is a trade-off between available resources to perform the testing and the amount of risk the program is willing to accept. These factors change with the situation, and when added to the biases of the individual decision maker, a quantitative answer is not likely. [25] Some even report that a “well­ guided gut instinct works about as well as anything else”. [26] The subjective nature of testing is a significant factor in every facet of a test program, as will be demonstrated throughout this thesis. Due to the subjectivity, testing practices are not consistent across the aerospace industry or in comparison with the commercial aircraft industry. These inconsistencies can be observed in every phase of the test program. Most notably is in the inconsistent way in which terms are used to describe test activities. This lack of standardization in terms required the need to establish definitions for use in this thesis (Chapter 2). Another source of inconsistency is the wide variation in the way projects are organized, within and across programs and companies. A third inconsistency is in the process of defining, implementing and tracking test requirements. All programs treat testing differently due to unique requirements and conditions. Interestingly, most expert interviewees would like to see some level of standardization to minimize the subjectivity but they are very skeptical that this standardization could ever be successfully accomplished. 4.2.2 Paradoxical Nature of Testing Another prevalent theme throughout the expert interview process was the paradoxical nature of testing. Intuitively, people know that more testing is better than less testing. With unlimited time and budget, testing would never be an issue because the program would simply test everything. In reality, cost and schedule constraints are always present. The program success is not only based on the successful operation of the system but also on whether it was completed on time and within budget. Testing is often considered an insurance policy against future failures. Program management must perform a risk-benefit analysis to determine the wisest use of program resources. [27] 27 Even on the technical side, what constitutes a successful test is itself a paradox. A hardware test that uncovers multiple problems can be considered just as successful as a test that verifies the flawless operation of a perfectly designed and built system. Conversely, for software it is easy to write test cases that will be successful, however, these cases will only be effective if they show how the system does not work. Both hardware and software testing serve the purpose of risk mitigation towards ensuring a correctly operating system. This paradox creates a managerial view of testing as an unrecoverable program cost rather than a value proposition of long-term program costavo idance. True costs for testing are not calculated in terms of cost prevention, only in terms of actual costs to perform the test. Hence, the cost savings of identifying an error on the ground and fixing it before launch is often not a consideration in determining a test program’s success. 4.2.3 Vulnerability to Changes and Cutbacks Adding to the subjectivity and paradoxical nature of testing is the fact that most testing occurs late in the development phase. The prevalence of late testing leads to the next common theme: testing is vulnerable to changes and cutbacks. The first source of change comes from incomplete test requirements. Very often the actual design itself is in flux and the system requirements are continuously changing. This in turn results in a changing test program. The higher the fidelity of the early test requirements, the more stable the testing requirements and planning will be at the end of the development phase. [28] Also, as new knowledge is gained about system operation, new methods of testing may be developed and synergies between stages of testing can be incorporated into the test plan. As budget and schedule pressures increase during the development phase, managers tend to accept more risks and are therefore willing to agree to more cutbacks in testing. Again, the more stringent the requirements, the less vulnerable the test program will be to these reductions. [29] Since the budget and schedule pressures are most keenly felt at the end of a development program, testing is extremely vulnerable because it is one of the only remaining opportunities left to make up schedule or cut costs. Some test programs are budgeted early in a program and the budget is placed in a reserve status. However, if proper care is not taken to preserve the funding, the test budget can be decimated by the time the testing is scheduled to begin. Even fiscal year considerations may change the timing of a test program. One interviewee reported that testing can be delayed until the start of the fiscal year when new funding became available. [30] 4.2.4 Inadequate Attention to Testing The fact that testing, as an activity as well as an organization, does not receive the same attention as other elements of a program was another common theme of the expert interviews. In general, testing is recognized as an important part of a project. Yet as mentioned earlier, because testing typically occurs at the end of development, it does not receive as much emphasis during the initial planning phases as it should. The 28 inadequate attention can be in the form of time, budget, or forethought spent on the various activities. Understandably, design has to take precedence in defining the function and form of the system in the beginning of development. It is only after the program is well underway that testing begins to receive the consideration it deserves. If consideration to testing is not given at the beginning of a program, it may be too late to ensure the most efficient and thorough test planning and implementation. Many of the interviewees expressed frustration with this trend. It was common to hear how test requirements were not finalized soon enough. One expert summed it up as “not enough emphasis is placed early enough on high-quality test requirements, equipment, and procedures. We make it work but its not efficient”. [31] Another concern within the testing arena that was repeatedly mentioned in the expert interviews is a lack of training and mentoring. Formal training in testing is not typically provided. The skills needed to be a good test engineer are learned on-the-job but these skills are not proactively maintained or developed. Within NASA, the standard program processes and procedures do not address the detailed implementation strategies for testing. Much time and effort has been put into other areas of program and project planning, but testing has not received its fair share. According to some of the expert interviewees, the lack of a detailed documented testing strategy has meant that each program, or new program participant, has had to relearn important lessons from the past. The experts recommended that more should be done to capture these best practices in order to provide decision makers with some guidelines for test planning. [32] The subjective nature of testing, along with a concern about the ability to generalize the knowledge, may be possible reasons that these best practices have not been documented in the past. Also emphasized during the expert interviews was the desire to perform test planning in parallel, but one step out of phase, with the development of the hardware and software. As one piece of the design process is completed, test planning should take place. The same is true for actual test implementation. Several of the expert interviewees suggested that the deficiencies in test planning might be an organizational issue. Not enough forethought tends to be given to how a program will be structured to allow for the most effective test planning and implementation. Many of the expert interviewees reported that test engineers do not hold the same status or standing that other engineers do within the program. These test engineers are often not as respected as other engineers and as such, do not receive the same opportunities or receive as much attention. Other divisions within the program and/or organization tend to receive more prominence than testing. This inequality leads to the next common theme found in the expert interviews: the effect of organizational structure on test program success. 4.2.5 Organizational Influences on the Testing Process A number of the expert interviewees, especially the contractor representatives, described the benefits of having a separate testing organization that can concentrate on this one area of the development process. However, an independent testing organization does have limitations and poses new challenges that must be addressed. 29 This section will focus on these organizational issues, from the point of view of the expert interviewees. One observation made from the interviews is that there was not a consistent interpretation of what was meant by “test organization”. For some, the test organization includes the actual technicians that perform the operations on the flight and ground equipment. For others, the test organization is those individuals in a program office that are responsible for overseeing test activities. For the purpose of the interviews, and for this thesis, “test organization” will refer to those engineers accountable for implementing test requirements and the program management functions responsible for these activities. A prevalent assertion encountered during the interview process was the need to develop test-engineering skills. Having a separate test organization was recommended as one method of developing skills, facilitating knowledge transfer and improving communication. This independent organization also allows for a consistent test philosophy to be established and implemented. It ensures that attention is focused on testing activities eve n while the program management may be concentrating on other issues. To receive the maximum benefit, the test organization should be involved in the very early stages of design and planning. Another benefit of having a separate pool of test engineers is the ability to be flexible with the resources. Flexibility is particularly important in the component, qualification and integration testing stages of development. During component and qualification testing, the schedule is constantly changing and resource loading must always be adjusted. A pool of test engineers can be an efficient use of engineering resources. [33] For integration testing, a dedicated test team is important because the test engineers need to be are familiar with the overall system operation. Because these same individuals have been involved with the earlier testing, they will have developed an understanding of the operation of the system and any idiosyncrasies that may be present. [34] Having previous experience with the hardware and software can be very important in recognizing system trends and unexpected emergent behavior. Some organizations provide a mixture of a dedicated test team, along with other independent reviews. As an example, the commercial aircraft industry uses a separate test group for highly critical systems. The Federal Aviation Administration (FAA) has mandated that independent testers and inspectors verify all critical requirements in the commercial airline industry. [35] For lower criticality systems, two developers verify each other’s work. While having a separate testing organization can be beneficial, it cannot operate in a vacuum. Good communication is essential, especially between test engineering, system engineering, software/hardware designers and operations personnel. Many expert interviewees emphasized the need to establish good relationships early and to maintain the interfaces throughout the project. Very often adversarial relationships are formed 30 between the different groups, severely hampering communicatio n and negatively affecting the development process. There are other limitations of having a separate test organization. Besides the increased need for good communication, comprehensive integration is also required. This need is magnified with geographical distance and contractual differences between designers, testers and system integration organizations. Having a separate test organization can actually detract from the effectiveness of the project and create inconsistencies rather than standardization when these geographic distances or contractual differences are present. Extra care is needed to provide strong system engineering and integration between the various groups when extreme organizational differences are present. The need for a strong functional organization to maintain skills was also cited in the interviews. Having a strong functional organization is important for both a dedicated test teams, as well as for Integrated Product Teams (IPT). A number of contractor expert interviewees reported success using the IPT structure. Keys to its success included a strong functional organization to support the test representatives and strong integration between the individual IPTs. [36] Other interviewees described unsatisfactory experiences with the IPTs. A lack of a strong functional foundation and weak integration were possible explanations for the poor execution of the IPT structure. It should also be noted that even for those organizations that utilized IPTs, each was implemented in a different manner. These findings imply the need for better understanding of effective IPT structuring. A further description of an IPT structure is provided in the next chapter. During the expert interviews, questions about the NASA software Independent Verification and Validation (IV&V) process were asked. The responses provided a unique, and useful, insight into NASA’s test philosophies and practices. The following discussion was not utilized in the development of the overall findings because it is not technically considered a testing organization. However, parallels can be drawn between IV&V and testing. Because this information is deemed to be valuable, it is included in this chapter. While the IV&V organization does not perform actual testing of software products, it does provide an independent review and monitoring of the processes used in test requirement development, test conduct and data analysis. NASA has criteria for determining when a particular project is required to employ IV&V. [37] The programs themselves are responsible for proactively performing a self- assessment and arranging for an IV&V review. The researchers found little evidence, however, that this process of self-assessment was well understood outside the IV&V community. In fact, the criteria used for performing the self-assessment was not clearly defined in program management processes, nor was it readily available for use by program managers. The IV&V community does police programs to ensure proper use of the IV&V review. One factor hampering their ability to assess the need to perform IV&V on NASA projects is the difficulty in compiling a complete list of all projects currently underway. 31 A hit-or-miss record of involving IV&V in software development has resulted from the unavailability of a complete list of NASA projects. [38] Fortunately, IV&V has been involved in human-rated spacecraft development, most likely due to the limited number and high visibility of the programs. Ironically, each individual project must finance the IV&V effort. There was evidence that some projects do not want to have an IV&V audit performed. This resistance is often a result of not understanding the value added in performing an independent review. Often projects see this review as a drain on resources, both in time and money. These resources are usually needed for other efforts that are perceived to be more valuable. From this standpoint, IV&V and testing suffer from the same barriers, biased perceptions and lack of appreciation. 32 Chapter 5: Findings Derived from the Expert Interviews “Test Early and Often” - Expert Interviewee [39] 5.1 Introduction The expert interviews, along with the literature review, yielded some significant findings, which are described in this chapter. These findings are meant to shed light on some the challenges that the testing community currently faces as well as to provide the foundation for the recommendations described in Chapter 6. With over 500 individual responses collected and analyzed from the expert interviews, a great deal of information regarding human-rated spacecraft testing was captured. For this thesis, the most significant findings are discussed in detail. These findings include: o For some projects, software is considered a stand-alone system o Optimism varies with organizational position o While testing practices vary, decision factors do not o Upfront planning is a key to success but be prepared for change o Current methods of tracking testing costs are not sufficient o Testing is more of an art than a science o Good sub-system engineering is not a substitute for proper system engineering o Program/Agency culture strongly affects testing 5.2 Stand-alone Software System Today’s systems are becoming increasing more reliant on software to operate successfully. However, there is evidence that for some projects, software is not being treated as an integral part of the overall system. Instead, software is viewed as separate stand-alone system, posing a number of challenges and concerns, especially for the testing activities. Because the system hardware and software are usually highly interdependent, they must be considered as one integrated system. Very often both the hardware and software must be present for the system to operate. To truly verify the system requirements, the actual flight hardware must be integrated and tested with the flight software. Some of the evidence that points to the premise that software is being treated as a system of itself is provided by the organizational structure, the process by which the software is tested and delivered, and the limited insight that sub-system engineers have into the software development process. A human-rated spacecraft project’s organizational structure is one indicator of how software is handled in general. Some projects and programs use Integrated Product Teams (IPTs) with software being an integral part of each IPT. An IPT is an organizational structure that consists of cross- functional teams dedicated to an individual product, project 33 or system. Each team includes representatives from the various functional departments. The IPT structure is used to increase communication and coordination between the different disciplines involved in a common system. [40] A simplified example of an IPT is shown in Figure 4. Project Manager IPT #1 IPT #2 IPT #3 Software Software Software Mechanical Mechanical Mechanical Electrical/ Avionics Electrical/ Avionics Electrical/ Avionics Quality Quality Quality Figure 4 – Simplified Integrated Product Team Structure On the other hand, some projects have segregated all software engineering into a separate organization. At the extreme, the separate software group is housed in an entirely different division from the systems engineers (as shown in Figure 5). This organizational distance also serves to disassociate software from the rest of the system and limits the sub-system engineer’s visibility into the software development process. In one interview, a system engineering expert admitted that sub-system engineers do not typically see the software specifications or the test procedures. [41] This lack of visibility goes completely against the philosophy of true systems engineering. 34 Project Manager Spacecraft Systems Avionics and Software Sub-System Engineers Software Developers Figure 5 – Simplified Organizational Structure with Segregated Software Group Another organizational concern with the software development process is the contractual structure for breaking down the software segments. Some program split the responsibility of software development between contractors. When the split also involves a substantial geographic distance (as is common), effective communication is hampered. In addition, the development of the hardware and software for the same system may also be parceled out to different companies. The software product then becomes a program deliverable in and of itself, providing a further indication that for some programs, software is handled as a distinct element. The inclination to treat software separately is not unique to NASA. US Department of Defense (DoD) standards have actually mandated this separation as recently as 1997 (Figure 6). [42] Figure 6 - DoD Model for System Development [43] 35 Once delivered, the process for testing the software differs from that of the hardware. Some differences should be anticipated because software is not a tangible element and cannot be tested to failure as is done with hardware. Because there is not a physical embodiment of the system, the tester must rely completely on the quality of the specification in order to verify the intent. In addition, the same building block approach for testing may not be applicable to software, as it is with hardware. While the software may be developed in discrete modules, it often cannot be tested as a standalone module. There are lessons from hardware testing that should be incorporated into software testing. One example relates to retest. Typically when hardware is replaced after a test has been conducted, the retest is typically quite intensive. Not only are the interfaces retested but in many cases, the integration tests are also performed again. The tendency in software is to just retest the module in question and then to plug it back into the system without an integrated test. [44] This is one indication of the popular (but false) perception that software is easier, and safer, to change than hardware. In fact, this is not true. According to Leveson (Safeware, 1995): “Changes to software are easy to make. Unfortunately, making changes without introducing errors is extremely difficult. And, just as for hardware, the software must be completely reverified and recertified every time a change is made, at what may be an enormous cost. In addition, software quickly becomes more ‘brittle’ as changes are made – the difficulty of making a change without introducing errors may increase over the lifetime of the software” [45] The system engineer must be an integral part of this process of evaluating the changes and subsequent implementation in order to maximize the chances of success. One theory as to why software is treated separately from hardware may be the history of the program and the background of test managers themselves. In general, there is not a good understanding of software engineering by those not in this profession. Most managers currently have a hardware engineering background. They may not truly appreciate the unique aspects of software development and testing. Many of these managers try to apply to software the same hardware paradigm that worked so well for them in the past. Software, however, has many fundamental differences in the way it is developed and tested. As mentioned in the previous chapter, testing is inherently subjective, but the abstract nature of software makes the testing of software even more subjective. When software is treated as a separate system, compounded with this added subjectivity, stronger integration and greater attention to details becomes critical. Unfortunately, the temptation to delegate the decisions to the software community is also greatest under these circumstances. 5.3 Varying Attitudes Toward Test Effectiveness An insight that resulted from the interview process was the observed differences in attitude toward the effectiveness of testing among those at various levels of the organization. It was 36 evident that the lower level system and test engineers were much more pessimistic and felt that too much risk was being taken by not testing enough. They did not have a clear understanding of the process that the decision makers went through, and they were the most likely to see the process as arbitrary. Our research showed that the optimism level clearly increased as one went up the chain-of-command toward the managers. Most managers were proud of what had been accomplished and were confident that their test programs were highly successful. There are several possible reasons for why an individual’s outlook on testing changes with their organizational position. The first is an individual’s ability to take a holistic view of the entire project. Senior managers have a larger view than many engineers at the lower levels. The lower-level system and test engineers are primarily concerned with their own system and its successful operation. Managers on the other hand must balance the entire system, along with the external influences. They are the ones that understand the political factors involved with the project. In turn, the program manager’s risk aversion level is different from that of the lower- level engineers. The program managers must make the trade-offs and, as such, are perceived to have a higher tolerance for risk. These project managers do understand, however, that they are responsible for accepting risk as part of the trade-off decisions. As one project manager stated “I was willing to take the risk of not testing what I flew. As the project manager for the …mission, I was the one who ultimately decided what risks to take…”. [46] Another possible reason for the differing level of optimism is that the understanding of the detailed technical information is most likely not consistent across the organization. It is reasonable to think that the lower-level engineers understand the operation of their system better than the managers. Information may not be conveyed to managers in a way that allows proper risk evaluation. When this less-than-perfect knowledge is combined with the other external pressures, managers may be accepting more risk than they think. The established culture also plays a role in the differences in optimism. NASA has historically had a culture of risk taking but at times has also been accused of being too risk adverse. Depending on the culture of a particular project, acceptable risk level changes. In addition, while the current NASA culture is very accustomed to fixing technical problems as soon as they are discovered, the process for reversing bad decisions made early in a program has not yet been institutionalized. It should be noted that program and test managers do not make bad decisions on purpose or out of incompetence. Early in a program, all the information may not be available or may not be accurate. Managers make the best decisions they can at the time but these decisions are rarely re-evaluated. The lower- level engineers may recognize these as bad decisions, but the managers may not even be aware there is an issue. The tendency is to just work around the issue, rather than change the ground rules. This tendency is not unique to human-rated spacecraft or to NASA but can be observed in many industries. 37 5.4 Test Program Decision Factors Because of the subjectivity and inconsistency of test programs, many interviewees thought that parallels could not be drawn across programs. In contrast, we found that there is consistency in the decision factors used by the various decision makers. What does changes are the decisions that are made based on these same factors. Each decision maker takes a slightly different approach to making test requirement decisions. Some rely on the inputs of the system engineers more than others. Some have a formalized thought process, while others rely more on instinct. When probed further, there is a common set of factors that are included in the decision process. These factors are not all equally weighted nor does the weighting remain constant throughout the process. Situational and other external factors do have a large influence. Perhaps the biggest variable is in the differences between the decision makers themselves. 5.4.1 Technical Factors Three technical decision- making factors have been identified that deal directly with the spacecraft systems –safety, risk and confidence level. These technical factors are now described further. 5.4.1.1 Safety It was clear through the expert interviews that safety is the first priority when making testing decisions. NASA’s Program and Project Management Processes and Requirements document defines safety as: “Freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment” [47] Any items that could pose a threat to the safety of the astronauts are weighted the highest. The next concern was the safety of the spacecraft and the people working on it. Safety is never intentionally compromised in the decision- making process. This is not to say that safety in itself is never compromised. The failure of the Mars missions mentioned earlier in this thesis is evidence of this unintended consequence. Had more, or better, testing been performed, it is likely the missions would not have failed. A difficulty that program managers face is understanding what conditions constitute a threat to safety. While every program manager knows that safety is the first priority, they may not know when their decisions actually compromise safety. Another component of safety that factors into decisions is that of ground operations. Some tests pose a serious safety concern when performed during integration testing, in particular, when they require the use of hazardous materials. In these cases, the project manager must weigh the benefits of performing the test in actual flight 38 conditions versus the possibility of the ground team being exposed to hazards during operations. Again, it appears that safety does weigh very heavy in this decision process. All other means are explored first and performing hazardous operations on the ground are only conducted when absolutely necessary. 5.4.1.2 Risk Beyond safety, other aspects of risk were a major factor in the decision- making process. NASA’s Program and Project Management Processes and Requirements document (NPG 7120) defines risk as: “The combination of (1) the probability (qualitative or quantitative) that a program or project will experience an undesired event such as cost overrun, schedule slippage, safety mishap, compromise of security, or failure to achieve a needed technological breakthrough; and (2) the consequences, impact, or severity of the undesired event were it to occur.” [48] The greater the risk, whether in the form of likelihood or consequence, the more testing will typically be performed. The risk assessment, and minimally acceptable risk, depends on the particular project and the circumstances. There are often pre­ conceived biases of the likelihood and consequences are for particular projects. These pre-conceived opinions have led to some general misconceptions. For example, in one interview, the expert denoted that human-rated and expendable spacecraft must be treated differently. Human-tended spacecraft have the ability to make repairs on orbit while satellites do not have the same opportunity. [49] In reality, the same factors apply to both types of spacecraft but the only difference is in the respective consequences. In addition, it is often believed that human-tended spacecraft can accept more risk of finding non-critical errors on-orbit due to the ability of repairing. This does not address the fundamental issue of the likelihood that the error can be detected or corrected once discovered. The ability to detect and correct a failure must be included in determining the consequence level. Each project must assess the relative risk but the resulting actions for testing will differ based on the circumstances. 5.4.1.3 Building Confidence Another prime factor that may not be as obvious to the decision maker is the amount of uncertainty present. Uncertainty defines how well the risk can be determined. It is based on the amount of system knowledge that is available at the time of the decision. For example, the amount of previous experience with a design or the amount of testing previously completed contributes to the overall system knowledge. As system knowledge increases, confidence in the system’s operation also increases. There are a number of other factors that also contribute to the overall level of confidence in a system. The sources of uncertainty in the system’s operation are outlined in Table 2. It is important to note that it is these factors that are often 39 overlooked or underestimated in the decision-making process. By not considering these factors, many program managers have encountered difficulties. Sources of Uncertainty - New design - New technology - New interfaces - New application for reuse - Previous testing - Reliability of information - Hardware/software maturity (design and build) - Team experience - Complexity of system (including number of interfaces/interactions) - Required fidelity of results - Possible unexpected emergent behavior Table 2 - Sources of Uncertainty Most managers and decision makers recognize that new designs, technology, and interfaces create additional uncertainty, while previous testing increases confidence for the project. However, one of the most under-appreciated sources of uncertainty is reusing existing components in new applications. Decision makers repeatedly assume that reuse of a component of hardware or software will reduce the uncertainty level of the system. Unfortunately this is often not the case. The new application and new interfaces may in fact increase the uncertainty, unless enough time and effort is invested in a thorough review and analysis. One example of the perils of software reuse was experienced on the maiden flight of the Ariane 5 launcher in June 1996. [50] Approximately 40 seconds into the flight, the launcher veered off course sharply, began to break up and then exploded. An investigation into the accident revealed the cause of the failure to lie in the Inertial Reference System. At approximately 37 seconds into flight, the backup inertial reference system became inoperative when an internal variable that refers to the horizontal velocity exceeded a specified limit within the software. Simultaneously, the active inertial reference system experienced the same error, because both were operating with the same software. At this point the internal reference system fed diagnostic information back to the main computer. The main computer interpreted the diagnostic data as flight data and adjusted accordingly, sending the launcher off course. The resulting forces created by the drastic correction caused the launcher to disintegrate and then self-destruct. 40 The software used in the Ariane 5 launcher was the same inertial reference system software that successfully operated in the Ariane 4. The team chose to reuse the software for the new launcher, even though all the features were not needed in the new application. The team failed to recognized ahead of time the differences between the Ariane 4 and Ariane 5 initial acceleration and trajectory. The Ariane 4 launcher would have never reached the internal horizontal velocity limit within the software. However, the Ariane 5 reached, and exceeded, the limit by design. The team did not appreciate the impact of reusing the software and their review process was not stringent enough to catch the problems that would be caused by the internal reference system sending bad data to the main computer. In addition, since the inertial reference system was used previously on the Ariane 4, it was not tested under the Ariane 5 flight conditions. This test could have caught the error prior to launch. [51] NASA’s Mars Climate Orbiter (MCO) also experienced a failure due to a reuse of software without a thorough understanding of the implications. The MCO reused software code originally developed for another spacecraft for the thruster trajectory equation. The conversion code was in British units but the specification called for metric. The code was obscure and the specification was not well understood or reviewed with the reuse application. The subsequent mismatch of units resulted in the loss of the MCO. [52] These examples (and many other losses resulting from the reuse of software) demonstrate a possible downside of reuse; decision makers may be lulled into a false sense of security due to success in the past. There was a general impression among the expert interviewees that as they gained more experience with the systems, their confidence level increased. There is a potential that this confidence could translate into rationale to cut back on planned testing. Sometimes such reductions may be the appropriate action but a thorough review and analysis must take place first. Appropriate decision- making must take into account that similar components are not guaranteed to behave identically. An additional source of uncertainty includes the overall experience level of the team. If the project team includes a large number of relatively inexperienced engineers, there is an increased chance that an error will be made in the development process. Project managers cannot necessarily rely on good engineering practices to ensure the proper design and manufacture of the spacecraft systems. Additional testing is warranted to mitigate the effects of an inexperienced team. Most of the interviewees recognized unexpected emergent behavior as a source of uncertainty in the system’s operation yet few could describe a standard process for driving out this behavior. Most system and test engineers suggested additional testing in off- nominal and maximum use conditions as a means of discovering unexpected behavior. A number of the managers, however, believed that their current test programs were sufficient to drive out this uncertainty. Consciously 41 addressing any potential unexpected emergent properties is important and the test program should be designed to uncover as much of this behavior as possible. The remaining sources of uncertainty include: the maturity of the hardware and software, the complexity of the system, the reliability of the information available to the decision maker and the required fidelity of the results. These factors are recognized and understood by the decision makers but may not be a conscious consideration during the decision- making process. In order to achieve the best possible results, decision makers should think through each of the sources of uncertainty before making a final decision. 5.4.2 Non-Technical Factors Jus t as strong of an influence can come from external or non-technical factors. Even though they occur outside of the system, non-technical factors can apply a great deal of pressure on the system or on the decision maker. These factors are included in Table 3 and are discussed further in the following sections. Non-Technical Factors Available Resources Budget Schedule Test Equipment Facility Readiness Ability to test Simulators/emulators Procedures Personnel resources Limited life (lifecycle) Process - Requirements Test strategy Hardware/software development Contract type Organizational structure Political/Cultural Environment Changing priorities Nature of relationships Optimism/pessimism International implications Funding Source Individual Decision Making Behavior Knowledge Subjectivity Biases Table 3 – Non-Technical Factors 5.4.2.1 Resource Availability Testing decisions regarding resource availability involve cost, schedule, equipment, facility readiness and personnel. While resource issues are addressed during the planning process for testing, they often become subject to changing events that are 42 unrelated to the specific program under development. Therefore, in reaction to external events, adjustments to resources often appear as the best and only alternative. Consideration of resource alternatives in response to individual circumstances, while ignoring other related factors, can have a detrimental effect on a test program. For instance, delays in testing schedule are often made to accommodate the needs of other programs. An approach that accepts delays without concessions often results in increased costs to the program incurring the delay. Another example of the need to address resource availability in a holistic manner is illustrated by the various resource alternatives such as simulators, emulators and test equipment. By addressing the total resources available for accomplishing test activities, managers can often decide to substitute a planned test with an acceptable alternative using a different approach, thus preventing cost and schedule impacts. 5.4.2.2 Process Processes have an important role in ensuring successful implementation of test programs. Decisions regarding the testing strategy, contract approach, process rigidity and organizational structure must be considered early in the program in order to ensure proper resource availability later in the program. Perhaps the most important of the process-related factors involves test requirement development and implementation. Ambiguity in requirements often has the down-stream effect of increased changes during test implementation phase, which often results in cost and schedule impacts. Contract strategy is another important process decision that should be given careful consideration early in a test program. While fixed-price contracts offer cost and schedule fidelity, they often do not adequately address changes nor are they flexible enough to add new work without significant cost impacts. Test implementation involves a number of processes such as change management, configuration control and test procedure development and performance. The formality and stringency of these processes will affect the success of the overall test program. For example, decision- making processes for testing are established to deal with changes in testing requirements. A rigid process will increase the chances that testing decisions will be made in accordance with the established guidelines. Conversely, a process that is not firm will allow subjective considerations to heavily influence decisions. Because processes are used as a means to accomplish the tasks of a particular project, they should be tailored to the needs of the each project. In addition, changing processes once a test program has begun is extremely difficult without incurring heavy impacts on other aspects of the program, namely cost and schedule. Changes to the established processes should not be undertaken without serious consideration or unless absolutely necessary. It is much more efficient to ensure that the required processes are established during the planning phases of a project. 43 5.4.2.3 Individual Decision-Making Behavior The ability of the decision maker to gather and interpret information regarding test decisions is rarely addressed while planning or evaluating test programs. Because it is accepted that decision makers achieve their positions through technical and managerial competence, there is usually no mechanism for reviewing the quality of previous decisions as part of the process for making current decisions. Factors such as the decision maker’s technical and managerial ability, individual biases, and the subjectivity of the information all influence the quality of their testing decisions. Of these factors, decision biases are least likely to be controlled because sufficient oversight or independent review of the decisions is rarely provided. Therefore, any framework for decision- making should attempt to minimize biases of the decision maker. For instance, a manager with a background in hardware development might consider software testing decisions in the context of their previous hardware testing experience, while another manager with a project management background might emphasize cost and schedule considerations equally to those of technical requirements. Finally, it should be noted that decisions are only as good as the information that is available. Therefore, quantifiable data that can be compared in equivalent terms is essential for any testing decision to be effective. 5.4.2.4 Political/Cultural Environment Political and cultural factors have the most under-appreciated effects on testing programs. While they often have significant influence on decisions later in the development process, they are rarely consciously considered in the early decisionmaking process. Both political and cultural factors are important, yet they often go unnoticed by all but those in the highest positions, such as program managers and other key decision makers. Therefore, the influence of political and cultural factors may be greater than the other decision factors on those decision makers that are keenly aware of the political and cultural climate. For NASA, political factors involve pressures from competing programs as well as from organizations outside of the agency, such as Congress. The increasing international involvement in NASA programs also provides a new dimension to the cultural differences and political pressures that project managers must consider. It should be noted that decision makers might weigh these non-technical factors heavier than technical factors because they are often the pressures that are more readily felt at the time of the decision. Much of the risk component deals with “what­ ifs” in the future but resource availability is a present concern for the decision makers. The near term nature of the non-technical factors, along with the vagueness of the long-term technical effects, creates an imbalance for the decision maker. 5.4.3 Retest Considerations Another finding from the expert interviews was the general perception that retest decisions did not receive the same rigor as original test requirement decisions. When a 44 problem was uncovered during a test and subsequently repaired, the system often was not retested as thoroughly as the initial test. The decision to not retest is not necessarily improper, if a thorough review and evaluation is performed. Indications from the expert interviews point to the fact that this review does not always take place. The purpose of the retest is to verify the reconnected interfaces, to confirm the corrective action was sufficient to remove the error and to ensure that no other errors were introduced into the system during the replacement process. The same decision factors used in assessing the initial test requirements must be considered for retest. 5.5 The Role of Planning Human-rated spacecraft have always been extremely complex systems. As more electronic components and software are introduced into the functional operations of the system, the complexity will continue to increase, requiring that more rather than less testing be performed on the spacecraft. To manage this complexity, early planning in both systems engineering and testing is necessary. Statements such as “test early and often” and “poor decisions made early will kill you later” [53] were common responses during the expert interviews. The need for more planning of test activities is also recognized by organizations outside NASA, such as the commercial aircraft industry. For aircraft, the Federal Aviation Administration (FAA) establishes rigid requirements for testing that must be addressed early in the life-cycle of the program. These requirements are established by regulation and cannot be reduced. However, for unique spacecraft with no regulatory requirements to guide test development, it very difficult to establish a firm program for testing. Often the system requirements are so unique there is no previous test history to help determine the best approach, or in many cases, the time between programs hinders the knowledge transfer process. Furthermore, new designs are susceptible to changes, which translates into uncertainty because the engineer is unsure of the final system configuration. Ambiguity in system requirements can make the test requirements unstable and may result in more required testing. The success of a testing program is only as good as the test requirements that are developed. However, early emphasis on high quality test requirements is often missing from program planning decisions. The expert interviews revealed that inadequate requirements could lead to poor test procedures and a lack of proper test equipment. [54] The experts also advised that getting an early start on philosophical and policy decisions is necessary to establish the right priorities regarding the level of testing and criticality level of the requirements. [55] An illustration of the importance of test requirements can be drawn from the Huygens Probe that was launched with the Cassini Spacecraft in 1997. The probe experienced a communications anomaly during a routine test while en-route to its destination (the Saturn moon of Titan). The unexpected behavior occurred when a simulated Doppler shift was applied to a signal being sent to the Huygens Probe Support Avionic receiver. The Doppler shift caused the data signal to fall outside of the receiver’s narrow-band bit- loop 45 detector. The enquiry board could find no evidence of requirements or specifications regarding Doppler Shift on subcarrier or data rate in the receiver radio frequency telemetry. Had this been a requirement and tested prior to launch, the problem could have been identified on the ground and corrected by a software change. The software was not changeable after launch. Although the Huygens Program made use of independent tests and verifications, the following conclusion was drawn: “The problem on Huygens has shown the value of an end-to-end test simulating the various mission conditions as close as possible during ground testing.” [56] In the case of Huygens, early involvement of test engineers may have been able to influence the decision not to perform the end-to-end testing. One role of the test engineer is to find system problems that the designers did not anticipate. The added evaluation by the test engineers and a subsequent end-to-end test would have helped to ensure the spacecraft’s robustness. Finally, through early involvement, the test organization would be more familiar with decisions made by the designers and therefore would have the necessary understanding to develop stringent test requirements that would validate the actual mission conditions. These same findings can be applied to all programs. The early involveme nt of the test organization is also essential in establishing a set of firm test requirements that will be less vulnerable to changes later in the program. By establishing critical test requirements that must be performed, program managers and test managers are in a better position to respond to program changes. Less critical requirements can also be established early in the program, but can be accomplished by other methods of verification, or not performed in favor of cost or schedule considerations. This is appropriate as long as the risks associated with not performing the test are acceptable. Early decisions regarding the testing approach to human-rated spacecraft are made at the program management and system engineering levels. The program manager is responsible for overall resource allocation and cross-system integration decisions but must consider recommendations from the systems engineers. The systems engineers in turn base their recommendations on the inputs of the various hardware and software owners. For humanrated spacecraft, this simplified decision hierarchy involves many organizations and groups assigned to various aspects of the program. Decision makers at all levels must consider a wide range of variables when addressing testing programs. These include when to perform tests, what tests to perform, where to test, fidelity of tests, the amount of software IV&V to perform and how much retest should be allocated as contingency. Upfront planning also allows for the opportunity to begin testing early. An advantage of early testing is to verify component behavior under system- level conditions. Gaining this knowledge of actual system operations and behaviors is useful in driving down the level of uncertainty in the system. This testing allows transients to be identified at an early stage. The experts regarded this early emphasis as necessary to begin the process of addressing the “little glitches”, or unexpected emergent behavior, that must be understood as part of the overall system is developed. Ignoring these small details can lead to maintenance issues during operation, or even worse, on-orbit system failures. 46 The process of identifying unexpected emergent properties of human-rated spacecraft must begin at an early stage in the program to ensure that as many as possible are recognized and addressed. Analytical methods can be applied to early systems to find and correct possible interactions before the design is complete. Analysis alone will not identify all unexpected emergent behaviors and testing is necessary in order to ensure that those interactions that do present themselves will not pose an unacceptable situation for the spacecraft or crew. An example of this kind of unexpected behavior occurred on the Wide Field Infrared Explorer (WIRE) experiment launch in March of 1999. After its launch, a system anomaly occurred in which the telescope aperture cover was opened prematurely, resulting in the release of the spacecraft’s cryogenic hydrogen. The subsequent report on the incident traces the behavior to a field-programmable gate array (FPGA) that was used in a circuit for which it was not well suited. The mishap investigation determined that a transient signal occurred after start up of the FPGA. The WIRE report indicated that the testing method used for the spacecraft was performed at the hardware-box level only, a method that would not have identified the transient. The report also stressed the point that the spacecraft should be “tested as it is going to be used” in order to identify these types of behaviors. [57] Allowing enough time in the testing schedule to address these unexpected emergent behaviors, and other contingencies, is also important. Because testing occurs at the end of the development phase, the remaining ava ilable schedule is tightly controlled. The objectives of later tests may become vulnerable if too much time is spent correcting errors uncovered by the early test procedures. While schedules are typically optimistic, testing will find errors and the planning should account for these contingencies. Finally, early planning also allows program managers to develop enough flexibility in the test program to make adjustments during the later phases. Often, windows of opportunity develop from changes in other parts of the program (i.e. delays in launch schedule) that create time for more testing. If a prioritization of additional test activities is not readily available, these opportunities can be lost. The International Space Station (ISS) Program provides a prime example of taking advantage of a window of opportunity. The original ISS baseline contained almost no integrated testing of the major elements. When a schedule opportunity became available, ISS program management was able to use the time to perform a series of Multi- Element Integration Tests (MEIT). [58] These tests have proven to be successful in finding and correcting problems prior to launch. 5.6 Tracking Testing Costs Actual cost figures for spacecraft testing programs are very difficult to determine because NASA does not typically track them as a discrete line item in spacecraft programs. Pure test costs are often obscured by engineering and operational funding, making them susceptible to misinterpretation. An effort was made to determine the availability of actual cost data for use in a case study for this thesis, but what we found was either cited as 47 proprietary or deemed to be in an unusable format for proper analysis. Therefore, it is recommended that actual financial data be obtained for use in evaluating testing cost performance and for use in program planning. Test costs are not consistently defined from one program to another, making comparisons difficult between programs. Contractors, however, have attempted to establish heuristics for estimating testing costs for use in developing cost proposals. These estimating “rules of thumb” are subject to negotiation during the proposal development phase as well as during final contract negotiations with the customer. During the actual performance of testing activities, contractors also provide better cost tracking, but do not typically make the details of these costs available to others for proprietary reasons. Contractors are often required to submit detailed financial information to the government, but again this information is not easily broken down to actual test costs. Better estimating and tracking of test activities is needed to establish a consistent estimating tool that can be used in early program planning. Accurate test cost data can also be used to establish the savings that testing brings to a program in the form of cost avoidance from errors that may have been overlooked had the testing been eliminated. Life-cycle cost consideration is another deficient area in making test decisions. For human-rated spacecraft it is often attractive to forego a test and accept the risk that an onorbit repair will be necessary. However, when the cost of on-orbit repairs are considered in the decision, it often becomes apparent that performing a test is money well spent in the long run. The trade-off between performing testing and accepting the risk of an expensive on-orbit repair is often not assessed because of the urgent nature of the decision at hand and the lack of useful and accurate cost data. The manager will be tempted to “save” the cost of the test and apply it toward a possible repair effort. With improved cost data regarding testing and on-orbit activities, decisions to perform more testing may be easier to justify. 5.7 Testing Is An Art The finding that testing is more of an art than a science further reinforces the theme of subjectivity in testing and also recognizes the innate difficulty of test engineering. Experience and mentoring are more important than formal training in developing test engineering expertise. One reason for the lower prominence of formal training may be the lack of testing emphasis in systems engineering literature, including government and corporate policies and procedures. Although NASA is attempting to address testing as part of its program and project management policies, our expert interviews revealed that documented guidelines may be one or two revisions away from giving testing adequate attention. [59] The lack of testing literature is not limited to NASA. College curriculums and industry also give testing superficial emphasis. Testing is mentioned as a necessary component of system development but does not include a discussion of actual test implementation. Formal training is also not provided either in college or in most industries. 48 Because testing practices are not formally documented, the most valuable knowledge is retained within the individual experts as tacit knowledge. This finding is reflected by the expert interview responses that recognize the human relationship component that exists in the test engineering community. As organizations change from experienced-based knowledge to process-based knowledge, there is a danger of losing the testing expertise that resides within the organization. Once this knowledge is lost, the chances of repeating past mistakes increases. In order to maintain the knowledge base and core capabilities, test engineering should be treated as a valid profession with the same prestige level as other engineering disciplines. Providing test engineers with a viable career path will prevent them from moving to other, more rewarding, assignments and will also serve to attract talented new engineers to the profession. Currently, test engineering is not given the recognition appropriate to the amount of creativity and difficulty involved as compared to design engineering. The expert interviews pointed out that test engineers need to know the system design and then must be more creative in trying to identify system faults. [60] Finally, any organizational structure should attempt to capture and retain the core knowledge of its testing group. Mentoring and On-the-Job-Training are two ways of retaining testing knowledge and passing it along to new programs. Barriers to knowledge transfer exist in several forms. First, most knowledge management systems are poorly funded and fail to document root causes of problems in a form usable for application toward new problems. Second, a culture of addressing only those problems related to the current program exists, without regard to preventing problems in later programs. Contractual issues also pose a barrier to knowledge transfer in the form of test data created by contractors not being a required deliverable to the government. Finally, knowledge transfer is relationship dependent. Programs that have good relationships between organizations tend to transfer knowledge easier than those that have adversarial relationships or are geographically dispersed. 5.8 The Importance of System Engineering Good sub-system engineering is not a substitute for proper overall system engineering. Designing and testing at the sub-system level is a necessary process that attempts to confine functionality within the sub-system while providing higher- level controls over the interfaces between the various sub-systems. In doing so, the complexity of the higherlevel system can be managed through the lower-level sub-systems. Focusing on the sub­ system level does not imply, however, that early attention should not be applied to the overall system level performance and the possible interactions between the sub-systems. Our expert interviews suggested that another role of testing is to capture those sub-system interactions without having to give them thoughtful attention during the early development stages. While testing does drive out errors, it is not intended to serve as a substitute for the design process (from a systems integration perspective). Nor should a conservative design process tha t attempts to provide system robustness and fault-tolerance serve as a substitute for proper testing. The bottom line is that system engineering must give a voice to both design and testing in the proper proportions. 49 The need for a strong system engineering perspective is becoming increasingly more important as systems become more complex and the projects more distributed. Many of NASA’s human-rated spacecraft projects are broken down into individual work packages and dispersed between centers and contractors. In general, good system engineering is performed for each of these packages. When the project is broken up in this manner, the system engineering must be even stronger. More coordination and communication is required and only through the system engineering function can this be accomplished. Very often each of the work package owners follows their own similar, yet different, processes. The system engineers must ensure some level of consistency and that a minimum standard is met. Integration testing, by its very nature, crosses these organizational, contractual and geographic boundaries. Proper system engineering is essential to the success of a test program. In very large programs, individual work package groups or organizations may be tempted to operate as autonomous entities. They can become focused on delivering their particular product and lose focus on the larger picture. It is the responsibility of system engineering to ensure that working relationships are established and a free flow of information is maintained. Several expert interviewees noted that these individual organizations sometimes exhibit “engineering arrogance”. They do not recognize the need for system engineering and they do not think outside their particular area of expertise. As one interviewee described, these groups operate as if they were on separate islands. System engineering must build the bridges to connect each island. [61] 5.9 Program/Agency Culture Program and agency culture strongly affects testing. A traditional engineering culture places emphasis on design because the design must come before testing. In addition, the role of the designer is to build a robust system while the role of the tester is to find errors and shortcomings with the design. Both groups must be disciplined enough to recognize the role of the other and avoid adversarial behavior. As mentioned earlier, test engineering has a stigma associated with it due to its lower priority within the organization. This inequality in organizational status exacerbates the adversarial relationship and can hamper communications between the design and test groups, resulting in severe negative effects on program success. Another cultural aspect that affects testing programs is the mindset that each program stands on its own. Very little resources are spent on trying to make testing easier on the next program by understanding today’s failures and sharing lessons learned. The repetitive nature of the tasks in the commercial aircraft industry makes the transfer of lessons learned easier. Even so, for most engineering cultures, the process of mentoring is much more effective in transferring knowledge than through documentation methods. 50 Chapter 6: Lessons for the Future “Taking action in advance to prevent or deal with disasters is usually worthwhile, since the costs of doing so are inconsequential when measured against the losses that may ensue if no action is taken” - Nancy Leveson (Safeware, 1995) [62] From the themes and findings discussed previously in this thesis, recommendations for assessing future test requirement decisions are outlined in this chapter. First, the current risk management process is described, along with its applicability to test requirement decisions. Suggestions for improvement of the risk management process are also offered. Second, additional keys to a successful test program are discussed. Finally, this chapter explores the nuances and challenges faced in the individual decision- making process. 6.1 Risk Management Process 6.1.1 Current Risk Management Techniques As discussed in the preceding chapters, testing serves the purpose of risk mitigation by discovering errors and building confidence in the overall system operation. All NASA programs, along with other industries, currently use risk management programs that have been tailored to their own individual needs, constraints and philosophies. Each program utilizes some form of likelihood and consequence as a means to assess risk. NASA defines likelihood as: “the probability that an identified risk event will occur.” [63] Consequence is defined as “an assessment of the worst credible potential result(s) of a risk”. [64] In order to assess the overall risk, likelihood and consequence must be evaluated together. One tool used to aid decision makers in this evaluation is a risk matrix. The generic risk matrix that NASA has adopted is shown in Figure 7. LIKELIHOOD ESTIMATE CONSEQUENCE CLASS Likely to Occur Probably will Occur May Occur Unlikely to Occur Catastrophic Critical Moderate Negligible High Risk Medium Risk Low Risk - Figure 7 - NASA Generic Risk Matrix [65] 51 Improbable The matrix in Figure 7 illustrates only one option for comparing risk. While this matrix has four levels of consequence and 5 levels of likelihood, each program and industry has tailored the matrix to suit their own needs. Typically the scaling varies between 3 and 6 levels for each component of risk. Likelihood is typically measured on a scale ranging from Likely- to-Occur to Improbable or Impossible. Consequence usually ranges from Catastrophic to Negligible. No matter which scaling method is used, the highest risks are those with the highest likelihood and the worst consequences. Risks are not limited to technical concerns but can include risks to schedule and budget as well. Regardless of the source, once a risk is identified, likelihood and consequence must be determined so the risk can be mapped on the risk matrix. This evaluation can be either quantitative or qualitative. Some of the methods used to analyze risk include: Probabilistic Risk Assessment (PRA), statistical analysis of historical data, Fault Tree Analysis, and Failure Mode and Effects Analysis. [66] Traditionally, hardware reliability also is used to determine the likelihood of failure. However, using hardware reliability as the only means of assessing likelihood represents two erroneous assumptions. The first incorrect assumption is that hardware failures are the only causes of accidents. This is not true and in fact is often not the case in many large-scale accidents. Accidents and unintended events can result from human error, bad requirements, processes not being followed or design deficiency. Managers and decision makers must consider all of the possible causes of accidents or overall system failure when assessing the total risk for a project. The second incorrect assumption is that reliability can be equated to successful operation. This assumption is particularly not true for software. Each component or module may operate as intended and hence be very reliable. A combination of components may, however, produce unintended behavior that results in a system failure. Unclear requirements or design flaws may also yield highly reliable components that do not meet the intent of the system’s operation. Program managers must be conscious of these misconceptions when evaluating the overall program risk. Once risks are identified and plotted on the risk matrix, there must be a way to compare and prioritize all of the risks. Again, each program and industry has chosen different methods of accomplishing this risk ranking process. NASA’s Risk Management Procedures and Guidelines (NPG8000.4) suggests using a Risk Assessment Code (RAC). The RAC are numerical values assigned to each field in the risk matrix, as illustrated in Figure 8. [67] The RAC values appear to be assigned in an evenly distributed, impartial manner. Risks with a RAC of 1 are the highest and should receive top priority in terms of resources and attention. 52 LIKELIHOOD ESTIMATE CONSEQUENCE CLASS Likely to Occur Probably will Occur May Occur Unlikely to Occur Improbable Catastrophic 1 1 2 3 4 Critical 1 2 3 4 5 Moderate 2 3 4 5 6 Negligible 3 4 5 6 7 Figure 8 – Risk Matrix Showing Risk Assessment Code (RAC) (Adapted from [68]) Individual NASA programs use the risk matrix as a management tool to manage and track risk mitigation actio ns. Each risk is assigned a managing organization that has the responsibility of establishing a plan to reduce the likelihood of the risk occurring or of lessening the severity of the consequence should the event actually take place. This plan is entered into a database and the action tracked until the risk is reduced to an acceptable level. [69] The program manager is typically responsible for determining the acceptable risk level. One downside of this management tool is that risks are evaluated individually. Any unexpected emergent behavior that may result from a combination of risks will not be discovered or considered through the use of the risk matrix. The NASA Risk Management Procedures and Guidelines (NPG 8000.4) provides the basic principles of a risk management plan. Each program manager is then required to develop a detailed risk management plan specific to their individual program/project, based on the general guidelines. Each program manager is responsible for determining how their risks should be ranked and prioritized and they must also determine what level constitutes acceptable risk. While the ability to tailor the risk management process does allow managers to better meet the needs of their project, it also adds to the inconsistencies of test approaches across the agency and industry. One example of how a large-scale NASA program has adapted the NASA risk management guidelines is depicted in Figure 9. In this application, the risk matrix is comprised of 5 levels of likelihood and 5 levels of consequence. These levels are labeled numerically 1-5 with 5 being the highest or most severe. 53 LEGEND High -Implement new process(es) or change baseline plan(s) 5 L L I 4 4 K K E E L L I 3 3 H H O O O 2 2 D D Medium - Aggressively manage; consider alternative process Low - Monitor 1 1 2 3 CONSEQUENCES 4 5 5 Figure 9 – NASA Program Risk Matrix [70] The risk management plan for this program suggests that for each risk, the likelihood and consequence should be multiplied together to determine a risk score. [71] These scores are then used to rank and prioritize all of the risks. For example, a risk with a likelihood of 4 and a consequence of 5 would receive a risk score of 20. This score is not an absolute number but rather a relative ranking used to prioritize all risks. The methodology of multiplying likelihood times consequence, however, does little more than assign a value to each field in the matrix, similar to the concept of the RAC used in NASA’s generic risk matrix. The assignment of risk scores to matrix fields is illustrated in Figure 10. 5 L L I 4 4 K K E E L L 3 I 3 H H O O O 2 2 D D 5 4 10 8 15 12 20 25 16 20 LEGEND High -Implement new process(es ) or change process(es) baseline plan(s) 3 6 9 12 15 Medium - Aggressively manage; consider 2 4 6 8 10 alternative process 1 2 3 4 5 4 5 5 Low - Monitor 1 1 2 3 CONSEQUENCES Figure 10 – Risk Matrix with Scoring [72] The approach of multiplying likelihood and consequence can be misleading. First, likelihood and consequence are two different entities and are not presented in the same terms. Likelihood traditionally is in the form of a probability, while consequence is not –yielding a product with meaningless dimensions. Second, it may misrepresent the relative distance between two risks. For example, a risk with a consequence of 5 and a likelihood of 4 has a score of 20, while a risk with the same consequence of 5 but a 54 likelihood of 2 has a score of 10. It is unreasonable to assume that the risk with a score of 10 is actually twice as good as the risk with a score of 20. The Department of Defense (DoD) uses a hazard criticality index matrix that may serve as a better approach to prioritizing risks. A simplified example of this matrix is shown in Figure 11. Frequent Probable Occasional Remote Improbable Impossible Catastrophic 1 2 3 4 9 12 Critical 3 4 6 7 12 12 Marginal 5 6 8 10 12 12 Negligible 10 11 12 12 12 12 Figure 11 – Adapted DoD Hazard Criticality Index Matrix [73] For this application, the number in each field represents the criticality of various identified hazards as part of the DoD’s safety program. The number values are not distributed evenly, showing that some thought and methodology went into assigning ratings to each field. Any hazard below the dark line is considered acceptable. The goal of the mitigation activity is to drive down the criticality to a rating of 9 or higher (below the line). [74] Reducing criticality can be accomp lished through design changes, additional redundancy, safety features or operational workarounds. This same methodology can be used for risk management. In addition, if the matrix values can be assigned at the agency level, then consistency in determining acceptable risk can be achieved throughout the program. The subjectivity of assigning likelihood and consequence values would still remain, however. The preceding discussion on risk management techniques is only a cursory review. Further analysis of the various risk management processes and the relative benefits and drawbacks is work that should be covered by a subsequent thesis. A general understanding of risk management is needed for the purposes of this thesis. The application of risk management to testing is discussed further in the following section. 6.1.2 Application to Testing The intention of risk management activities is to identify and mitigate risks in every stage of a program. Poorly defined risks or those risks that will not be realized until far out into the future are usually not plotted on a risk matrix due to the lack of solid information on which to base likelihood and consequence magnitude decisions. In the early stages of programs, risk assessment focuses on the design activities. At this stage, test requirements are typically unclear and will not be implemented until the end of the program. As a result, risk assessments do not deal with the early test requirement 55 decisions. It is only when the test activities are underway that the risk matrix is typically applied to testing. The risk matrix approach can, and should, be applied to early test requirement decisions. Because testing builds confidence in a system’s operation and serves to mitigate risk, the same risk matrix principles described above apply equally to testing as to the other parts of a project, such as design and safety. There is a weakness, however, with the current implementation of the risk matrix: likelihood is no longer an easily measured quantity (such as hardware reliability) in complex, software- intensive systems. Because today’s systems are becoming increasingly more complex assessing the likelihood of an event occurring is also becoming more difficult. While consequence evaluations are still relatively straightforward, most assessments of likelihood currently leave out too many factors and only consider traditional hardware reliability data. Testing serves to build confidence in the system engineer’s assessment of the likelihood that an event actually taking place. As described in Chapter 5, and shown again in Table 4, these sources of uncertainty factors also need to be a central component in any likelihood evaluation. Sources of Uncertainty - New design - New technology - New interfaces - New application for reuse - Previous testing - Reliability of information - Hardware/software maturity (design and build) - Team experience - Complexity of system (including number of interfaces/interactions) - Required fidelity of results - Possible unexpected emergent behavior Table 4 – Sources of Uncertainty While there does need to be a better method of estimating likelihood, it should be noted that testing alone does not change the likelihood of an event occurring. Testing does, however, increase the confidence in the system engineer’s assessment of likelihood. Testing also allows for problems to be discovered on the ground so that corrective action can be taken. Testing also does not change the consequence, unless it provides the system engineers with new knowledge about the system’s operation. 56 Another concern in the traditional use of the risk matrix is that risks are evaluated on an individual basis. By addressing each risk separately, any unexpected emergent behavior that may result from a combination of risks will not be captured by the matrix approach. Because another goal of testing is to drive out these unexpected emergent behaviors, the risk matrix approach should be expanded to evaluate a combination of risks. Combining risks, however, may be misleading because the number of components involved in each test will vary from requirement to requirement. Testing will often address multiple risks at once, making side-by-side comparisons more complicated than comparing individual risks. For example, a component test requirement typically involves only one or two components while an integrated test requirement can include many different components. The differences in testing configuration and the weighting of the factors must be assessed in conjunction with any other rating that is derived from the analysis of the combined risks. Perhaps the greatest strength of the risk matrix, as it is applied to testing, is in the methodical thought process that the decision maker must go through in order to use the tool. The first benefit is in reviewing and evaluating all the factors that are included in likelihood and consequence, especially the confidence factors. Most system engineers and decision makers are experienced in plotting likelihood and consequence on a risk matrix. Traditionally, each of the confidence factors has not been assessed in an independent or formal manner. This is unfortunate because the main goal of testing is to drive down uncertainty and build up confidence in the system. As discussed previously, the confidence factors include many aspects beyond what is traditionally considered as a source of uncertainty. Typically a new design is identified as a source of uncertainty but too often project managers choose to reuse components to reduce uncertainty. As described earlier, reuse can actually be a large source of uncertainty because managers are too over-confident with the reuse. Thinking through the total level of uncertainty will aid decision makers in identifying weaknesses in time to test and correct before on-orbit operations. The true pay-off comes in consciously thinking through each decision factor individually and in context with the other factors. Finally, one additional concern with the current risk management practices, as applied to testing, should be addressed. This concern deals with the competition between technical and cost risks. NASA, like other industries, typically tracks technical, cost and schedule risks. Because testing takes time and costs money, decision makers are forced to trade-off the technical risk of not performing a test with the cost and schedule risks of adding additional testing. When considering the cost risk, some programs only address the cost of abating the risk and not the cost of the risk if it would occur. [75] This is counter to the purpose of testing. As described previously in this thesis, testing is both vulnerable to cutbacks and testing costs are not tracked in a manner that allows true life-cycle comparisons to be made. These conditions only serve to give more weight to the cost and schedule risks over technical risks. Decision makers must be cognizant of the se influences, especially when using the risk matrix to assess test requirements. 57 6.2 Additional Keys to Success A key to any successful test program is a holistic view of both the technical and non­ technical factors involved in all projects. One set of factors should not be weighted more than the other; each plays an important role in the overall process. In addition to the risk management and decision-making process factors described earlier, there are other important aspects that can increase the effe ctiveness of a test program and in turn increase the chances for the project’s success. These recommendations for ensuring success are discussed in this section. 6.2.1 Status of Testing As discussed in the previous chapters, test engineers, and testing in general do not receive the attention or status that they deserve. It is important for program managers to give testing as much consideration as the other aspects of a project. Testing also needs to receive attention from the very beginning of the development process. While testing may not be the top priority in the early stages, it cannot be ignored either. Including test engineering representation in the design definition phase is one way that a program manager can provide this early involvement. Testing is a vital component in all projects and good test engineers are valuable assets not only to the project itself but also to NASA as a whole. NASA, and all contractors involved in human-rated spacecraft, should work to raise the prestige of testing within the agency. Test engineering needs to be considered a valid profession and it should have its own viable career path. A test organization should be made up of experienced system engineers, and it should not be used as a first assignment for new engineers. Because testing is more of an art than a science, management should proactively seek out those engineers that demonstrate the ability to be good artisans in the testing arena. Testing skills should be viewed as desirable and rewarded as such. When a project is successful, it is typically the design engineers who receive all of the recognition and rewards. Too often, test engineers do not receive the credit they deserve for their contribution to the success of a project. A good balance between all disciplines is needed to ensure the proper balance of the project itself. 6.2.2 Organizational Considerations The organizational structure that a project manager selects has a significant impact on the overall success of the project. Consideration must be given at the earliest stages to the appropriate structure that best serves every phase of the project. It is easy for managers to focus solely on the tasks at hand when first organizing the project, believing that the organization can change along with phase of the project. This belief is valid but only to a limited extent. The organizational structure can be adjusted slightly as time progresses, but it is important that the organization allows for the proper flow of communication and facilitates the involvement of all the essential players. Both system engineers and test engineers should be included as essential participants from the earliest stages. 58 There are a number of advantages in establishing a separate test organization, as was discussed in previous chapters. The primary benefits are in the ability to maintain a focus on the testing activities, to ensure a consistent test philosophy, and to develop test engineering skills. While having a separate organization is beneficial, it also requires increased coordination. Strong system engineering is essential, especially if the team is widely dispersed. The coordination mechanisms must be addressed at the time the project is structured and put into place from the beginning. Another important organizational consideration is in the division of a system into sub­ systems. Project managers have become adept at partitioning systems in such a way to limit the number of interfaces between sub-systems. [76] Project managers must also consider what each sub-system should include, such as software. Software should not be treated as a standalone sub-system. To ensure that software is integrated into each sub-system, the organizational structure should also include software representation in each sub-system group. Accountability, along with responsibility, for software must be given to the system engineers. Software is an integral part of the system and should be treated equally with the other system components. 6.2.3 Knowledge Transfer As discussed previously, test engineering skills are not formally taught and must be learned on the job. To ensure successful test programs, both project managers and functional supervisors should establish mentoring programs for test engineers. Rather than the typical ad hoc nature of testing training that is evident today, managers must be proactive in developing the testing talent that will be required in the future. Capturing and retaining testing skills is especially important after the completion of large projects. A great deal of knowledge is gained through the course of completing large-scale or long-duration projects. This knowledge and expertise is often lost after the team is disbanded, and the next project must start from scratch in developing the needed testing skills. A more strategic approach should be taken in capturing testing knowledge and in maintaining skills. One solution would be to create a small testing corps that remains intact after one project completes and then moves on to another project. While the systems would vary from one project to another, the same testing skills would apply. In addition, this testing corps would also be mentoring other engineers on the project, proliferating the needed expertise throughout the agency. Additionally, NASA should also consider the need for agency-wide knowledge-sharing on testing. Currently the program and project guidelines (NPG 7120.5) do not address actual test implementation. An agency-wide team should be formed to seek out best practices in the testing arena and update NPG 7120.5 to include more guidelines. Formal training programs in test engineering could also be investigated and established. This training would not replace the need for mentoring. 59 6.2.4 Alignment of Goals For any project to be successful, all participants must be aligned with the overall goals of the project. The primarily tool that program managers use to determine the organization’s ability to meet its goals is performance metrics. Each organization is typically only measured against the group’s individual output. For example, the design organization is evaluated on their ability to deliver a good design while the testing organization is measured against the ability to meet testing milestones. Because testing occurs at the end of the project, many of the initial groups involved with the design and manufacturing are disbanded. Problems found during testing that need to be corrected often result in a delay to the schedule. Because the test organization is evaluated on the ability to meet milestones, these delays can reflect negatively on their performance. If the problem is a result of a design deficiency, it should be attributed to the design organization. Too often the test organization is often left to assume the full responsibility of the system’s operation. The design organization should share the responsibility for the systems final performance and should be rated on the testing activities as well. In fact, the test organization should be rewarded, rather than sanctioned, for finding the flaw prior to on-orbit operations, rather than sanctioned for the delay in schedule. A better approach to performance measurement would be for each organization to be measured against the overall success of the project. Project managers need to establish a method of delaying the organization’s final rating until the completion of the project, so that all groups can be held accountable for the systems ability to meet the project’s ultimate goals. 6.3 Testing Decision-Making Considerations As discussed in the previous chapter, decision makers are faced with both technical and non-technical influences when making decisions. This section will describe the differing effects these influences can have on individuals with various decision- making preferences and style s. Every person has their own decision- making style based upon personal preferences, experiences and expertise toward viewing decision alternatives. In order to ensure that testing decisions are made in a consistent manner, these decision- making influences must be understood by the decision maker. Three broad perspectives have been identified that affect individual decision makers: risk-tolerance, long-term view and systems approach. By understanding the influences on the decision- making process, managers will be better equipped to face the challenges of a development program. 6.3.1 Risk-Tolerance In an ideal world, managers compare decision alternatives from a neutral perspective and make choices based on the expected value of the outcomes under cons ideration. 60 When two or more alternatives have the same expected value, a manager will consistently make the same choice based on established selection criteria. However, in the real world, decisions are not always framed in terms of expected value and the selection process is not always consistent between individuals. One way to describe differences between decision makers is by the amount of risk they are willing to accept, referred to as their risk tolerance level. A manager with a high risk-tolerance level will be willing to accept more risk than a manager with a low risk-tolerance level (risk averse). It is important for managers to understand their personal risk-tolerance levels when faced with difficult decisions. In the testing environment, a technical manager who is risk-averse will want to perform more tests in order to decrease the chance of a system failure. By making decisions that reduce risk, the test manager will contribute to improved safety of the system. However, if a risk-averse manager is considering a test decision from a cost perspective only, a decision to delete a test may be chosen in order to reduce the risk of a cost overrun. In the case of the cost-related decision, the manager is reducing business risk at the expense of technical risk. Therefore, to avoid the paradox described above, the technical and non-technical decision factors must be considered as a whole. One way to benefit from the differences of individual decision-making preferences is to match decision- making styles to specific types of management positions. Managers responsible for safety-related issues should have a risk-averse personality, while a manager who has a high tolerance for risk may be more qualified making resource and political decisions. The best approach is to create a management team the blends risk averse personalities with those that can accept higher levels of risk. A balanced team will provide a collaborative environment that will place proper emphasis on all of the decision factors being considered. 6.3.2 Long-Term View The timeframe for realizing the effects of a decision is another way that managers differ in their decision-making preferences. In general, managers will give the immediate impacts of a decision more weight than the long-term effects. One reason that short-term impacts have more influence is that there is less time to mitigate shortterm effects and therefore they take on a sense of urgency. Another reason is the false perception that there may by more options available to address long-term concerns, allowing test managers time to avoid them in the future. By downplaying the longterm effects of decisions, managers are vulnerable to a “wishful thinking” mentality that may create more, and bigger, problems in the future. Testing decisions are also viewed differently depending on the phase of the program in which the decision is made. Early in a development program, decisions can be made in an aggregate fashion in which trade-offs can be properly analyzed. As time progresses, however, decisions must be evaluated on an individual basis with fewer alternatives to 61 consider. The result is that decisions to add testing may be harder to implement in the later phases of a development program. 6.3.3 Systems Perspective Decision makers at all levels must consider their decision alternatives from a systems perspective that considers the higher- level objectives of the organization, rather than those of their immediate domain. Often, managers from different parts of an organization are faced with situations in which they must compete for available resources. Without a systems approach, one manager’s gain will become another’s loss. Viewing decision alternatives in a holistic manner will often provide a synergistic alternative in which all factors can be successfully addressed. However, to be successful, managers must be willing to accept a less than optimum alternative for their particular part of the overall program. In an era of decreasing resources, this approach is vital to ensuring successful spacecraft test programs. In addition to considering decisions alternatives in terms of higher organization objectives, the scope of the decision must also be viewed from a systems perspective. Individual decisions are often perceived to have a larger impact to the decision maker than those that are considered in the context of an overall program change. For instance, if a spacecraft test program had an estimated cost of $30M. Considered as an individual event, there would be concern that the cost was too high. However, if the cost of the testing were compared to the total cost of the entire program, say $12 billion, it becomes clear that the testing cost is more acceptable. In this case, the cost of the test program accounts for only small percentage of the total program cost and can provide benefits that far exceed the $30M cost of testing. These benefits can come in the form of increased confidence in the performance of the spacecraft. Finally, taking a systems approach to decision making allows managers make the necessary trade-offs between the technical and non-technical factors. Risk mitigation, cost and schedule must be considered when making testing decisions, but the technical objectives of the program must be maintained to ensure overall success. In summary, the three decision-making considerations discussed above are interrelated and can be summarized as follows. The systems approach helps decision- makers understand the importance of the long-term view of decisions. Systems’ thinking also allows decision-makers to consider technical and non-technical factors relating to testing. The timing of decisions is also important in maintaining a long- term view. Decisions made early in a test program allow the decision maker to take a long-term view, but as time progresses the number of available alternatives may diminish. Finally, decision- makers must be aware of their individual decision-making preferences regarding risk tolerance. A balanced team that consists of risk averse and risk tolerant managers will provide the best combination for consistent decisionmaking. 62 Chapter 7: Summary The overall objectives of this thesis were to document the test approaches and philosophies used within NASA and other organizations, to determine if the critical decision factors can be applied to all human-rated spacecraft programs, to provide lessons learned for future projects and to understand how various programs address unexpected emergent behavior. This final chapter will review the conclusions and recommendations that resulted from the research conducted towards meeting these objectives. Finally, suggestions for future research in this area are outlined. 7.1 Conclusions The primary research for this thesis included interviews with experts in the system and test engineering fields. From these expert interviews, major themes were observed and findings established. This section will briefly summarize the major themes and findings. 7.1.1 Major Themes from Expert Interviews Subjectivity of test requirements development: One purpose of testing is to reduce the risk that a system will fail to meet its intended performance goals. Because determining risk levels is highly subjective, especially for new designs and architectures, testing in turn becomes highly subjective. Typically, the actual test requirement decision process is not documented as a formal process but relies heavily on the judgment of the decision makers, adding to the overall subjectivity. Due to this subjectivity, testing practices are not consistent across the aerospace industry or in comparison with the commercial aircraft industry. Paradoxical nature of testing: Intuitively, people know that more testing is better than less testing but all projects are under tight cost and schedule constraints. Managers must constantly balance the trade-off between too much and too little testing. Testing alone does not make a project successful, but it does raise confidence in the likelihood of success. Testing is often regarded as a drain on project resources, rather than a valuable undertaking. Vulnerability to changes and cutbacks: Most testing occurs late in the development phase. Since budget and schedule pressures are most keenly felt at the end of a development program, testing is extremely vulnerable because it is one of the only remaining opportunities left to make up schedule or cut costs. Inadequate attention to testing: Testing in general does not receive as much attention as it should in order to ensure a project’s success. First, testing typically does not receive enough emphasis during the initial planning phases. Second, testing is not given enough attention in literature, training programs or academia. Third, test organizations do not hold the same status or standing as do other groups within a program due partly to the focus on design activities. 63 Organizational influence on the testing process: The structure of an organization does play a role in the overall success a program. Having a separate test organization was recommended as one method of developing skills, facilitating knowledge transfer, improving communication and establishing a consistent test philosophy. It ensures that attention is focused on testing activities even while the program management may be concentrating on other issues. In addition, having previous experience with hardware and software can be very important in recognizing system trends and unexpected emergent behavior. However, an independent testing organization does have limitations and requires increased integration and communication. 7.1.2 Major Findings of Thesis For some projects, software is considered a stand-alone system: Today’s systems are becoming increasingly more reliant on software to operate successfully. Yet for many projects software is not being treated as an integral part of the overall system. Instead, software is viewed as a separate stand-alone system, as evidenced by the project’s organizational structure, the process by which the software is tested and delivered, and the limited insight that some sub-system engineers have into the software development process. In addition, many of today’s managers have a background in hardware development and try to apply the same principles to software. Software, however, has many fundamental differences in the way it is developed and tested. Optimism varies with organizational position: The interview process revealed differences in attitude toward the effectiveness of testing among those at various levels of the organizatio n. The optimism level in the adequacy of the test programs increased as one went up the chain-of-command toward the managers. One possible explanation for this trend includes the senior managers’ ability to take a larger view of the overall project. These managers are also required to balance limited resources, political factors and a larger constituency than many engineers at the lower levels. In addition, the information that managers receive may be less-than-perfect and they may be accepting more risk than they realize. While testing practices vary, decision factors do not: Contrary to common belief, there is consistency in the decision factors used by the various decision makers. These common decision factors can be divided into technical (safety, risk and confidence building) and non-technical (resource availability, process, individual decision-making behavior and political/cultural influences). Due to their salient nature, non-technical factors often carry as much, or more, weight to the decision maker as do technical factors. Perhaps the most under-appreciated factors are those that build confidence by addressing the various sources of uncertainty. Decision makers should thoroughly consider each of the sources of uncertainty, especially the effects of reuse, an inexperienced team and potential unexpected emergent behavior. Upfront planning is a key to success, but be prepared for change: Early planning in both systems engineering and testing is necessary to manage the complexity of 64 human-rated spacecraft programs. A key to the success of a testing program is in developing high-quality test requirements. The early involvement of the test organization is also essential in establishing a set of firm test requirements that will be less vulnerable to changes later in the program. In addition, upfront planning also allows for the opportunity to begin testing early and allows program managers to develop enough flexibility in the test program to make adjustments later in the project. Current methods of tracking testing costs are not sufficient: Actual cost figures for spacecraft testing programs are very difficult to determine because they are not typically tracked as a discrete line item in spacecraft programs. Other engineering and operational funding often obscures pure test costs, which is unfortunate because accurate test cost data could be used to establish the savings that testing brings to a program in the form of cost avoidance. Life-cycle cost estimating is another area that should be enhanced and used in making test decisions. When the cost of on-orbit repairs are considered in the decision, it often becomes apparent that performing a test is money well spent in the long run. Testing is more of an art than a science: Experience and mentoring are more important than formal training in developing test engineering expertise. Because testing practices are not formally documented, the most valuable knowledge is retained within the individual experts as tacit knowledge. In order to maintain the knowledge base and core capabilities, test engineering should be treated as a valid profession with the same prestige level as other engineering disciplines. Good sub-system engineering is not a substitute for proper system engineering: While designing and testing at the sub-system level is necessary to reduce complexity, early attention should be applied to the overall system level performance and the possible interactions between the sub-systems. Because of the increased complexity of today’s systems and distributed nature of projects, strong system engineering perspective is becoming increasingly more important. In addition, integration testing, by its very nature, crosses organizational, contractual and geographic boundaries— making proper system engineering essential to the success of a test program. Program/Agency culture strongly affects testing: A traditional engineering culture places emphasis on design because the design must come before testing. In addition, design organizations tend to have more status within an organization than the testing team. This inequality can lead to an adversarial relationship and can hamper communications between the design and test groups, resulting in severe negative effects on program success. Another cultural affect observed within testing programs is the mindset that each program stands on its own. Few resources are spent on trying to improve testing practices for the next program by understanding the current failures and sharing lessons learned. 65 7.1.3 Review of Original Hypotheses Through the interview process with experts in the testing field and subsequent analysis, the hypotheses stated at the beginning of the thesis were confirmed. The hypotheses were: Hypothesis 1: Many decisions makers do not utilize a holistic approach in addressing testing requirements. Most decision makers have good intentions and are making the best possible decisions based of the information they have available to them. In order to improve their decisions, all decision factors need to be considered, especially confidence factors and decision- making biases. Hypothesis 2: Life-cycle costs are not adequately addressed in the decision-making process. Again, decision makers must use the information that is available. Unfortunately, testing and on-orbit repair cost are not divided and tracked in a manner to yield highfidelity life-cycle cost estimates. Hypothesis 3: Decision makers are not fully aware of the influences inherent in the decision- making process. There are numerous decision- making factors and influences that decision makers must evaluate and balance. Many decision makers may not fully appreciate the significance of each decision factor or the long-term effects of their decisions. In addition, proactive efforts are typically not taken to minimize unintended decision-making behaviors or to capitalize on the desired biases. Hypothesis 4: The influence of organizational factors is not fully appreciated. Most managers do understand that the organizational structure does influence the overall efficiency of the project. What is not fully appreciated is the significant impact that organizational considerations have on testing and integration efforts later in the program. Most important, the ability to integrate software into each sub-system is strongly affected by organizational considerations. 7.2 Recommendations Numerous recommendations for improving future NASA human-rated spacecraft test programs have been discussed throughout this thesis. The most significant recommendations are summarized in this section. Even though these proposals specifically 66 address NASA programs, each can be applied, in principle, to other programs and industries. o Form an agency-wide team to seek out best practices in the test engineering field. NPG 7120.5 should then be updated to give managers detailed guidelines for test planning and implementation. o Enhance the current risk management practices to include an assessment of all decisions making factors that contribute to the overall level of likelihood. In addition, the current rationale used to rank competing risks should re-evaluated. o Establish improved training and mentoring programs for test engineers. The agency should also evaluate the feasibility of establishing a small testing corps that would remain intact and move from one project to another, augmenting the resident testing teams of each project. This testing corps would mentor the other engineers on the project, while learning new skills and best practices as well. This approach would proliferate the needed test expertise throughout the agency, which is important to maintain because contractor organizations are not consistent between programs and projects. o Assign both responsibility and accountability for software to system engineering. Software is an integral part of the system and should be treated equally with the other system components. o Consider test engineering a valid profession with a viable career path for test engineers. This would help to improve the current leve l of prestige that testing receives within the agency and also help to retain the critical test engineering skills. o Track actual testing costs in a manner that will allow for better estimates of future test requirement costs. In addition, a better method for tracking and estimating lifecycle costs should be established. o Include testing in the earliest stages of the spacecraft’s development process. Proper system and test engineering representation in the design definition phase will increase the fidelity of the test requirements and effectiveness of test programs. In addition, having previous experience with the hardware and software can be very important in recognizing system trends and unexpected emergent behavior in the later phases of the program. o Recognize and understand personal risk-tolerance levels and how individual decision- making styles affect decisions. Furthermore, decision- making styles could be matched to specific types of management positions. A balanced team of riskadverse and risk-tolerant personalities will provide a collaborative environment that will place proper emphasis on all of the decision factors being considered. 67 o Establish separate test organizations within the projects in order to develop skills, facilitate knowledge transfer, improve communication, and establish consistent test philosophies. If a separate test organization is established, however, increased integration and communication will be required. o Align all project participants with the overall goals of the project and hold them accountable for the systems ultimate success or failure. 7.3 Future Work Based on the findings and recommendations presented in this thesis, three suggestions for future research are provided. These suggestions are offered as next steps for additional understanding of the nature of testing within spacecraft development programs. o Interviews from outside the human-rated spacecraft arena should be conducted to capture the expert testing knowledge that exists across NASA and outside of the agency. A comparison of the common themes and findings could be made to those identified in this thesis in order to build on the existing foundation of knowledge. o Investigation into the current methods for estimating and tracking spacecraft testing life-cycle costs should be conducted and a reliable cost estimating tool developed. Such a tool would be useful for future spacecraft development program planning and budgeting. o Further research into the individual decision- making process, as it applies to testing, is also suggested. A deeper understanding of the testing decision-making process will serve as a starting point for the development of a rigid decision making framework. 68 Notes [1] Young, T. “Mars Program Independent Assessment Team Report ”. NAS A, March 14, 2000. [2] Link, D.C.R (Chairman). “Report of the Huygens Communications System Inquiry Board”. NASA, December 2000. [3] Zarakhovich, Y. “Why No One Escaped From The Kursk”. Time Magazine. June 3, 2002. [4] Zarakhovich, p. 1. [5] NASA. NASA Systems Engineering Handbook, SP-6105. NASA, June, 1995. [6] NASA. Program and Project Management Policy Guide, NPG 7120.5B. NASA. 2000. [7] Bonabeau, Eric. “Predicting The Unpredictable ”. Harvard Business Review. March, 2002. [8] Blanchard, B.S. and Fabrycky, W.J. Systems Engineering and Analysis. Prentice Hall. January, 1998, p.121. [9] NASA (SP-6105), p. 3. [10] NASA (SP-6105), p. 3. [11] NASA (SP-6105), p. 21. [12] NASA (SP-6105), p. 21. [13] NASA (SP-6105), p. 106. [14] Wilkins, D. J. “The Bathtub Curve, Infant Mortality and Burn-in”. Reliability Hot Wire, http://weibull.com/hotwire/issues21/hottopics21.htm. [15] NASA (SP-6105), p. 106. [16] NASA (SP-6105), p. 106. [17] Blanchard, p. 126. [18] NASA (SP-6105), p. 106. [19] Blanchard, p. 121. [20] Herbert, F. http://www.quotationspage.com. [21] Expert Interview #8, October 1, 2002. [22] NASA (SP-6105), p. 38. [23] Expert Interview #9, October 2, 2002. [24] Expert Interview #11, October 8, 2002. [25] Expert Interview #1, August 13, 2002. [26] Expert Interview #6, August 29, 2002. 69 [27] Expert Interview #6, August 29, 2002. [28] Expert Interview #7, September 30, 2002. [29] Expert Intervie w #13, October 29, 2002. [30] Expert Interview #5, August 20, 2002. [31] Expert Interview #7, September 30, 2002. [32] Expert Interview #11, October 8, 2002. [33] Expert Interview #6, August 29, 2002. [34] Expert Interview #10, October 4, 2002. [35] Expert Interview #13, October 29, 2002. [36] Expert Interview #8, October 1, 2002. [37] NASA (NPG 7120.5B), p. 64. [38] Expert Interview 12, October 28, 2002. [39] Expert Interview #13, October 29, 2002. [40] Robbins, S.P. Organizational Behavior, 9th Edition. Prentice Hall. 2001, p. 424. [41] Expert Interview #5, August 20, 2002. [42] Forsberg, K and Mooz, H. Visualizing Project Management. John Wiley and Sons. May, 2000. [43] Forsberg, p. 21. [44] Expert Interview #6, August 29, 2002. [45] Leveson, N.G. Safeware: System Safety and Computers . Addison Wesley, 1995. [46] Margolies, D. “Test What You Fly?”. NASA, ASK Magazine, Volume 9, p. 7 October 2002. [47] NASA (NPG 7120.5B), p. 91. [48] NASA (NPG 7120.5B), p. 91. [49] Expert Interview #9, October 2, 2002. [50] Lions, J.L. (Chairman). “Ariane 501 Failure: Report by the Inquiry Board”. European Space Agency, 19 July, 1996. [51] Lions, p. 16. [52] Leveson, N.G. “The Role of Software in Spacecraft Accidents”. Massachusetts Institute of Technology. 2002. [53] Expert Interview #4, August 20, 2002. [54] Expert Interview #7, September 30, 2002. [55] Expert Interview #6, August 29, 2002. 70 [56] Link, p. 7. [57] Branscome, D.R. (Chairman). “WIRE Mishap Investigation Board Report ”. NASA, June 8, 1999. [58] Arceneaux, W.H. “International Space Station (ISS) Integration and Verification Methods, Current Status, and Future Plans ”. AIAA. October, 2002. [59] Expert Interview #11, October 8, 2002. [60] Expert Interview #9, October 2, 2002. [61] Expert Interview #9, October 2, 2002. [62] Leveson (Safeware), p. 75. [63] NASA. “Risk Management Procedures and Guidelines”, NPG8000.4. NASA. April, 2002. [64] NASA (NPG 8000.4), p. 11. [65] NASA (NPG 8000.4), p. 12. [66] NASA (NPG 8000.4), p. 10. [67] NASA (NPG 8000.4), p. 11. [68] NASA (NPG 8000.4), p. 12. [69] NASA. International Space Station Program, Risk Management Plan, SSP 50175A. NASA. April, 2002. [70] NASA (SSP-50175A), p. 18. [71] NASA (SSP-50175A), p. 14. [72] NASA (SSP-50175A), p. 18. [73] Leveson (Safeware), p. 273. [74] Leveson (Safeware), pp. 272-273. [75] NASA (SSP-50175A), p. 18. [76] Allen, T.J. “Organizing for More Effective Product Development (Working Paper). January, 2002. 71 References Allen, T.J. “Organizing for More Effective Product Development (Working Paper). January, 2002. Arceneaux, W.H. “International Space Station (ISS) Integration and Verification Methods, Current Status, and Future Plans ”. AIAA. October, 2002. Blanchard, B.S. and Fabrycky, W.J. Systems Engineering and Analysis. Prentice Hall. January, 1998. Bonabeau, Eric. “Predicting The Unpredictable ”. Harvard Business Review. March, 2002. Branscome, D.R. (Chairman). “WIRE Mishap Investigation Board Report ”. NASA, June 8, 1999. Chandler, S. MEIT Overview. NASA, November, 2001. Chiles, J. Inviting Disaster. Harper Collins. 2001. Forsberg, K and Mooz, H. Visualizing Project Management. John Wiley and Sons. May, 2000. Gallina, T. 6A MEIT I. NASA. August, 2002. Hasting, D. Space Systems Architecture and Design. Space Sys tems, Policy Architecture Research Consortium. March, 2002. Jordan, J., Michel, F. The LEAN Company, Making The Right Choices. Society of Manufacturing Engineers. 2001. Kahneman, D. Choices, Values and Frames. Cambridge University Press. 2002. Kohler, H. Statistics For Business and Economics, 2nd Edition. Scott, Forsman and Company. 1988. Krieck, J. “Lessons on Program Management, How To Accumulate Scar Tissue ”. MIT, Systems Design and Management. July, 2002. Leveson, N.G. “The Role of Software in Spacecraft Accidents”. Massachusetts Institute of Technology. 2002. Leveson, N.G. Safeware: System Safety and Computers . Addison Wesley, 1995. 72 Link, D.C.R (Chairman). “Report of the Huygens Communications System Inquiry Board”. NASA, December 2000. Lions, J.L. (Chairman) “Ariane 501 Failure: Report by the Inquiry Board”. European Space Agency, 19 July, 1996. Margolies, D. “Test What You Fly?”. NASA, ASK Magazine, Volume 9. October 2002. McManus, H, Warmkessel, J. New Methods for Architecture Selection and Conceptual Design, SPARC Program Overview. Space Systems, Policy Architecture Research Consortium. March, 2002. NASA. Independent Verification and Validation (IV&V) Criteria, NPG 2820. NASA. Proposed Appendix. NASA. International Space Station Program, Risk Management Plan, SSP 50175A. NASA. April, 2002. NASA. NASA Systems Engineering Handbook, SP-6105. NASA, June, 1995. NASA. Program and Project Management Policy Guide, NPG 7120.5A. NASA. 2000. NASA. Risk Management Procedures and Guidelines, NPG 8000.4. NASA. April, 2002. NASA. Software Independent Verification and Validation (IV&V) Policy, NPD 8730.4. NASA, August 2001. Robbins, S.P. Organizational Behavior, 9th Edition. Prentice Hall. 2001. Schultz, D., Bachman, J. A Matrix Approach to Software Process Definition. November, 2000. Sterman, J. Business Dynamics, Systems Thinking and Modeling For A Complex World. McGraw Hill. 2000. Urlich, K, Eppinger, S. Product Design and Development. McGraw Hill Company. 2000. Young, T. “Mars Program Independent Assessment Team Report ”. NASA, March 14, 2000. Zarakhovich, Y. “Why No One Escaped From The Kursk”. Time Magazine. June 3, 2002. 73 Appendix A – Expert Interview Questionnaire Section I: Basic Information 1. Full Name (optional): _______________________________________ 2. Date: ___/___/___ 3. Organization: ________________ 3A. Location (City/State): _______________________ 4. Job Title: _____________________ 5. Number of years working at your job: ___ 6. Area of Expertise: _____________________ 7. Which of these best describes your Job Title: (a) Systems Engineer (b) Project Manager (c) Other (please specify): ___________________ 8. Email Address: _______________________ 9. Telephone Number: _________________ Section II: The Role of Testing and Requirement Definition: 10. What type of testing is performed by your organization? (qualification, acceptance, integration, etc.). 11. What purpose does testing serve in your program, how important is it? (In other words, is it a double-check or is it the only way items are verified)? 12. Would you consider one type of testing more important than the others? 13. What would you consider to be the optimal phase in a new program to address test requirements for spacecraft programs and why? a. In your experience, when does it actually take place? b. What are the advantages and disadvantages? c. What are the barriers to the optimal timing? 14. How is criticality determined and functionality prioritized? What systematic way do yo u use to establish this priority and when in the process is it accomplished? 15. What criteria are used to establish the robustness and accuracy of emulators and simulators. How does this decision affect other testing decisions? 16. What process do you use to define/evaluate/approve test requirements initially? 74 17. What is the process for determining the level of testing to be performed and the time/phase when it is performed? 18. How and when are decisions made regarding the use of prototyping, proto-flights, or struc tural test articles? 19. Are test requirement reviews held in parallel with other system level reviews? Why or why not? 20. How are cost factors used in deciding when, and to what extent, testing is performed? Section III: Decision Making Factors 21. What factors do you consider when deciding what tests to perform? a. Are the factors always the same or do they change based on the situation? b. Where does the data come from that decisions are based on? c. What do you use (or have you seen used) as the basis for decisio ns (for example: past experience, organization/program policy, defined framework, gut feeling, political influence? 22. What other external factors influence the decisions? 23. What cost factors influence test requirement development? 24. Relatively, how are these factors weighted and does this weighting change depending on the situation? 25. Under what circumstances does planned testing change? 26. Sometimes during testing the system will act in an unexpected manner, allowing you to learn more about the design and/or unintended behavior. Do you anticipate that this will happen and if so, how do you handle this in developing requirements? How do you handle the risk of unknown system behavior? 27. Is hardware and software system testing treated differently? In what way? 28. What is the best time to merge hardware and software testing? Who makes that decision? a. What are the trade-offs between the different options? b. How are these trade-offs handled…what determines the priority? 29. What are the similarities between the hardware and software testing environments and what are the differences? 75 30. For software testing, how do you determine what tests are repeated (after a new s/w release or change) vs. those that can be simulated? Section IV: Testing Budgets and Cost Considerations 31. Is there a separately identifiable budget line item for testing in your program? If, so what amount is it and what percentage of the total program cost does it represent? 32. How does this compare to other programs? 33. How much of the program budget should be spent on testing? 34. Are life cycle costs considered in testing decisions and if so how? Section V: Organizational Factors and Knowledge Transfer 35. What would you consider to be the optimal way to organize to support testing (should there be a separate testing group)? a. In your experience, how are the programs organized? b. What are the advantages and disadvantages? c. What are the barriers to the optimal organization? 36. Who “owns” (or should own) the requirements? 37. Who makes the recommendations and who is the final decision maker when it comes to testing? 38. How does System Engineering affect the different stages of testing? How does reality compare to the ideal situation? 39. What best practices can be obtained from earlier programs and how can they be incorporated into cur rent testing programs? How well are these lessons transferred to other programs? 40. What would you change about your testing program if you could? 76 Appendix B - Glossary Analysis: The use of specific techniques, such as statistics, modeling, or qualitative methods to verify compliance to specifications/requirements. Consequence: An assessment of the worst credible potential result(s) of a risk. Inspection: Techniques used to physically verify design features. Likelihood: The probability that an identified risk event will occur. Risk: The combination of (1) the probability (qualitative or quantitative) that a program or project will experience an undesired event such as cost overrun, schedule slippage, safety mishap, compromise of security, or failure to achieve a needed technological breakthrough; and (2) the consequences, impact, or severity of the undesired event were it to occur. Safety: Freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. Similarity: A verification technique that uses comparison of similar hardware components. Simulation: A technique for verification that uses hardware or software other than flight items, but built to behave in an identical manner as flight systems. Test Organization: Those engineers accountable for implementing test requirements and the program management functions for these activities. Testing: A method of verification in which the actual equipment is allowed to operate under conditions that demonstrate its ability to perform as specified by the design requirements. Uncertainty: The lack of knowledge about an outcome or event that hampers a manager’s ability to make decisions and draw conclusions. Validation: Determining that a system performs as intended by the customer. Verification: Determining that a system performs according to the design requirements. 77